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Abstract 

We address the problem of computing in the group of l k -torsion rational points of the 
jacobian variety of algebraic curves over finite fields, with a view toward computing modular 
representations. 
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1 


Introduction 





Let F q be a finite field of characteristic p and A 2 C P 2 the affine and projective planes over F q 
and C C P 2 a plane projective absolutely irreducible reduced curve over F q and X its smooth 
projective model and J the jacobian variety of X. Let g be the genus of X and d the degree of 
C. 

We assume that we are given the numerator of the zeta function of the function field F q (X). 
So we know the characteristic polynomial of the Frobenius endomorphism F q of J . This is a 
monic degree 2g polynomial xPO with integer coefficients. 

Let £ ^ p be a prime integer and let n = £ k be a power of £. We look for a nice generating 
set for the group J\£ k ](F q ) of £ k -torsion points in J(¥ q ). By nice we mean that the generating 
set (gi)i<i<i should induce a decomposition of J[£ k ](F q ) as a direct product rii<i</ < 9i > °f 
cyclic subgroups with non-decreasing orders. 

Given such a generating set and an F g -endomorphism of J, we also want to describe the 
action of this endomorphism on J[£ k )(F q ) by an / x I integer matrix. 

In section |3] we recall how to compute in the Picard group J(F q ). Section |4] gives a naive 
algorithm for picking random elements in this group. Pairings are useful when looking for re- 
lations between divisor classes. So we recall how to compute pairings in section [5l Section [6] 
is concerned with characteristic subspaces for the action of Frobenius inside the ^°°-torsion of 
J(F q ). In section[7]we look for a convenient surjection from J(F q ) onto its £ fc -torsion subgroup. 
We use the Kummer exact sequence and the structure of the ring generated by the Frobenius en- 
domorphism. In section [8] we give an algorithm that, on input a degree d plane projective curve 
over F q , plus some information on its singularities, and the zeta function of its function field, 
returns a nice generating set for the group of £ fc -torsion points inside J(F q ) in probabilistic poly- 
nomial time in logg, d and £ k . Sections [9] and \W\ are devoted to two families of modular curves. 
We give a nice plane model for such curves. The general algorithms presented in section [8] are 
then applied to these modular curves in section [TT] in order to compute explicitly the modular 



2 



representation modulo £ associated with the discriminant modular form (level 1 and weight 12). 
This modulo £ representation Ve is seen as a subgroup of order £ 2 inside the ^-torsion of J\ (£) / Q. 
The idea is to compute the reduction modulo p of the group scheme Ve as a subgroup of J\ {€) /F p , 
for many small primes p. One then lifts using the Chinese Remainder Theorem. This makes a 
connection with Edixhoven's program for computing coefficients of modular forms. My contri- 
bution to this program is sketched in section [2l See ifTOlfTTTl . The core of Edixhoven's program 
is that if one knows Vg, one can efficiently compute the Ramanujan function t(P) modulo £ for 
a large prime P. If we have enough primes £, we can deduce the actual value of r(P). 

The last three sections present variants of the main algorithm and auxiliary results. SectionfT2l 
presents a simpler variant of the method of section [TH that is particularly useful when the action 
of the p-Frobenius on Ve modulo p is semisimple non-scalar. In the non-semisimple case, this 
simpler method may only produce a non-trivial subspace inside Ve modulo p. Section [T4lproves 
that this semisimplicity condition holds quite often indeed, as expected. As a consequence, one 
may compute the representation Ve associated with the discriminant form for at least half (say) 
the primes £, using this simplified algorithm. This suffices for the purpose of computing the 
Ramanujan function t(P) at a large prime P since we may afford to skip half the auxiliary primes 
£. On the other hand, if one wishes to compute a representation modulo £ for a given I, then one 
should be ready to face (at least theoretically) the case when no small prime p is semisimple for 
£. In that situation, the simplified algorithm would only give a non-trivial subspace of Ve modulo 
p for many primes p. 

Section[[3]addresses the problem of computing Ve from all the knowledge we have collected 
concerning Ve mod p for many small primes p. It requires a sort of interpolation theorem in the 
context of polynomials with integer coefficients. The goal is to recover a polynomial P(X) once 
given a collection of non-trivial factors of P(X) mod p for many primes p. This helps recovering 
Ve/Q once given a subspace in its reduction modulo p for enough small primes p. 

Altogether, this proves that the simplified algorithm, despite the possibility of many non- 
semisimple primes p, suffices to compute Ve/Q for all £. 

Remark 1 The symbol O in this article stands for a positive effective absolute constant. So any 
statement containing this symbol becomes true if the symbol is replaced in every occurrence by 
some large enough real number. 

Remark 2 By an algorithm in this paper we usually mean a probabilistic ( Las Vegas ) algorithm. 
This is an algorithm that succeeds with probability > |. When it fails, it gives no answer. In some 
places we shall give deterministic algorithms or probabilistic (Monte-Carlo) algorithms, but this 
will be stated explicitly. A Monte-Carlo algorithm gives a correct answer with probability > ~. 
But it may give an incorrect answer with probability < |. A Monte-Carlo algorithm can be 
turned into a Las Vegas one, provided we can efficiently check the correctness of the result. One 
reason for using probabilistic Turing machines is that in many places it will be necessary ( or 
at least wiser) to decompose a divisor as a sum of places. This is the case in particular for the 
conductor of some plane curve. Another more intrinsically probabilistic algorithm in this paper 
is the one that searches for generators of the Picard group. 
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2 Context: the inverse Jacobi problem 



The initial motivation for this work is a discussion I had in 2000 with Bas Edixhoven about his 
program aiming at polynomial time computation of coefficients of modular forms. 

He asked how one can compute (e.g.) the decomposition field of the dimension two modulo 
I Galois representation Vg associated to the discriminant modular form A. This amounts to 
computing the field of moduli of some very special ^-cyclic coverings of X\(l). 

I had some experience in explicit computation of coverings using numerical techniques and 
got the impression that a purely algebraic approach would fail to solve such a problem. This is 
because Vg, however small it is, is lost in the middle of the full ^-torsion of Ji(£). And the latter 
is a huge dimension zero variety (its number of geometric points is exponential in £). 

The second time I discussed this question with Edixhoven, it became clear that we had two 
options. We might compute Vg inside the complex torus of J%(£) and evaluate a theta function at 
some point x'mVg. Edixhoven convinced me that this approach was unlikely to succeed since 
the number of terms to be considered in the expansion of the theta function would be exponential 
in £, even for a poor accuracy. Another possibility was to solve the inverse Jacobi problem for x 
and find a divisor D = Pi + ■ ■ ■ + P g — gO in the class associated to x in the Picard group of 
Xi(£). Then one would pick a function / on X\(£) and evaluate F(x) = /(Pi) + • • ■ + f(P g ) 
for example. 

Solving the inverse Jacobi problem seemed easy. Indeed one could pick any divisor D° = 

P° + h Pg — gO of the above form on X\ (£) and compute its image a; by the Jacobi map. 

Then one would move slowly from x° to x inside the complex torus Ji(£)(C). At each step the 
corresponding divisor would be computed from the previous one using Newton's method. 

Although the Jacobi map is birational, it is not quite an isomorphism however. It has a 
singular locus and it was not clear how one could avoid this obstacle in the journey from x° to x. 

It was decided that I would think about how to solve this problem while Edixhoven would 
prove good bounds on the height of the algebraic number F(x) coming out of the algorithm. 
Edixhoven first proved the analogous bound in the function field case. Then, Bas Edixhoven and 
Robin de Jong, using Arakelov theory and results by Merkl in [[TT]| or J. Jorgenson and J. Kramer 
in |[P9l , proved the bound for the height of F(x). 

On my side, I was trying to avoid the singular locus. I believe that in general, the problem 
of avoiding the singular locus might very well be NP-complete. Indeed, if the curve under 
consideration is very close to the boundary of the moduli space, the problem takes a discrete 
aspect: the curve has long tubes and sometimes one may have to decide to push one point through 
one tube or the other one. In case one makes the wrong decision, one may be lost for ever. The 
problem can be phrased in a more mathematical way: if the curve is (close to) a Mumford curve, 
solving the inverse Jacobi problem assumes one can solve the discrete counterpart for it: solving 
the Jacobi problem for a finite graph; namely the intersection graph of the curve. See theorem 
Theorem 2.1 and the following remark for a statement of this problem, that I suspect is very hard 
when the genus of the graph tends to infinity. 

Of course one may expect that J\ {£) keeps far enough from the boundary of its moduli space 
when t tends to infinity. However, I was not able to give a proof that the above ideas do succeed 
in solving the inverse Jacobi problem, even for these curves. I had to build on a rather different 
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idea and proved in [8] that for X (£) at least, solving the inverse Jacobi problem is deterministic 
polynomial time in £ and the required precision. 

The first version of flU was ready in January 2004. Extending this result to any modular curve 
is just a technical problem, but I confess I was tired with technicalities and I stopped there with 
the complex method. 

Starting in August 2003 I decided to look for a p-adic analogue of this complex method: 
looking for a p-adic approximation instead of a complex one. After some hesitation I realized 
that computing modulo several small primes p and then lifting using the Chinese remainder 
would lead to a simpler algorithm. This text gathers the results of this research. The methods 
presented here are the discrete counterpart of the ones in [H. The essence of theorem|2]is that the 
discrete method presented in this paper applies to modular curves X\(t). This is exactly what is 
needed for the purpose of computing the Ramanujan function. 

The complex approach is more tedious but leads to deterministic algorithms. The main reason 
is that the set of complex points in the jacobian is a connected topological space. The modulo p 
approach that we present here seems intrinsically probabilistic, because one has to find generators 
of Picard groups of curves over finite fields. 

I should also say that the complex approach was not abandoned since Johan Bosman started 
in June 2004 his PhD with Edixhoven on this topic and he succeeded in explicitly computing 
some Vi using the complex method. See [3J. He built on the Newton approach to solving the 
inverse Jacobi problem, as sketched above. This shows that the singular locus of the Jacobi map 
is not so disturbing after all, at least in practice. 

Several sections in this text have been included in Edixhoven's report ifTTI . Many thanks are 
due to Bas Edixhoven and Robin de Jong for useful discussions, suggestions, and comments. 

Many thanks also to John Cremona and the anonymous referee for reading in detail this long 
manuscript and for their useful comments. 

3 Basic algorithms for plane curves 

We recall elementary results about computing in the Picard group of an algebraic curve over a 
finite field. See DUES. 

3.1 Finite fields 

We should first explain how finite fields are represented. The base field ¥ q is given by an irre- 
ducible polynomial f(X) with degree a and coefficients in F p where p is the characteristic and 
q = p a . So ¥ q is ¥ p [X]/ f(X). An extension of ¥ q is given similarly by an irreducible polyno- 
mial in FJX]. Polynomial factoring in FjJf] is probabilistic polynomial time in logg and the 
degree of the polynomial to be factored. 

3.2 Plane projective curves and their smooth model 

We now explain how curves are supposed to be represented in this paper. 
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To start with, a projective plane curve C over ¥ q is given by a degree d homogeneous poly- 
nomial E(X, Y, Z) in the three variables X, Y and Z, with coefficients in ¥ q . The curve C 
is assumed to be absolutely irreducible and reduced. By a point on C we mean a geometric 
point (an element of C(¥ q )). Any F^-point on C can be represented by its affine or projective 
coordinates. 

Let X be a smooth model of C. There is a desingularization map X — ► C. If P G Af(F g ) is 
a geometric point on A? above a singular point S on C, we say that P is a singular branch. 

The conductor <£ is an effective divisor on ^ with even coefficients. Some authors call it 
the adjunction divisor. Its support is made of all singular branches. The conductor expresses the 
local behaviour of the map X — > C. See ll29l IV.l], [fT5l . We have deg(£) = 25 where 5 is the 
difference between the arithmetic genus ( d ~ 1 )( d ~ 2 ^ Q f (j anc i the geometric genus g of X. Since 
5 < ( d ~ ^ support of £ contains at most t^" 1 ^ -2 ) geometric points in <Y(F g ). So the 
field of definition of any singular branch on X is an extension of ¥ q with degree < ifLI^L 2 ! a 
modern reference for singularities of plane curves is [|5l and especially section 5.8. 

The smooth model X of C is not given as a projective variety. Indeed, we shall only need a 
nice local description of X above every singularity of C. This means we need a list of all singular 
points on C, and a list (a labelling) of all points in X(¥ q ) lying above every singularity of C (the 
singular branches), and a uniformizing parameter at every such branch. We also need the Laurent 
series expansions of affine plane coordinates in terms of all these uniformizing parameters. 

More precisely, let P E X(¥ q ) be a geometric point above a singular point S, and let v be 
the corresponding valuation. The field of definition of P is an extension field Fp of F g with 
degree < ( d ~ 1 K d ~ 2 ) _ L e j x anc j y be affine coordinates that vanish at the singular point S on C. 
We need a local parameter t at P and expansions x = J2k>v(x) a ^ k an d V = J2k>v(y) ^t k with 
coefficients in Fp. 

Because these expansions are not finite, we just assume we are given an oracle that on input 
a positive integer n returns the first n terms in all these expansions. 
This is what we mean when we say the smooth model X is given. 

We may also assume that we are given the conductor € of C as a combination of singular 
branches with even coefficients. The following algorithms still work if the conductor is replaced 
by any divisor D that is greater than the conductor and has polynomial degree in d. Such a 
divisor can be found easily: the singular branches on X are supposed to be known already, and 
the multiplicities are bounded above by L^zlMzg) _ 

There are many families of curves for which such a smooth model can be given as a Turing 
machine that answers in probabilistic polynomial time in the size log q of the field and the de- 
gree d of C and the number n of requested significant terms in the parametrizations of singular 
branches. This is the case for curves with ordinary multiple points for example. We shall show 
in sections [9] and [TO] that this is also the case for two nice families of modular curves. 

3.3 Divisors, forms, and functions 

Smooth Fq-points on C are represented by their affine or projective coordinates. Labelling for 
the branches above singular points is given in the description of X. So we know how to represent 



6 



divisors on X. 

For any integer h > we set 

S h = H (F 2 /¥ q ,O ¥ 2 /¥q (h)) 

the Fg-linear space of degree h homogeneous polynomials in X, Y, and Z. It is a vector space 
of dimension ( fe+1 K fe + 2 ) over jr^ a basis for it is made of all monomials of the form X a Y b Z c 
with a,b,cEN and a + b + c = h. 
We denote by 

H h = H°(X/¥ q ,O x/¥q (h)) 

the space of forms of degree h on X. Here O x / ¥q (h) is the pullback of ¥ 2 / ¥q (h) to X. 

Let be a degree h form on P 2 having non-zero pullback W x on X. Let iJ = (W 7 ^) be 
the divisor of this restriction. The map / i— ► ^- is a bijection from H°(X/¥ q , O x / ¥q (h)) to the 
linear space C(H). 

If A is a divisor on X we note 7Y/ l (— A) the subspace of forms in H. h with divisor > A. The 
dimension of 7Yft(— <£) is at least dh+ 1 — g — deg(£) and is equal to this number when it exceeds 
g — 1. This is the case if h > d. The dimension of TCh{— <£) is greater than 2g if h > 2d. 

The image of the restriction map p : Sh — > contains 7i h {—€) according to Noether's 
residue theorem [fT51 Theorem 7]. 

We set S c = <S 2d and 7i c = H 2d (-€), and F c = p-\H c ) C 5 C and K c = Ker(p) C 
So we have -> -> i7 c -> 7i c -> 0. 

To find linear equations for _?7c C we consider a generic homogeneous form F(X, Y, Z) = 
'^2 a +b+c=2d £a,b, c X a Y b Z c of degree 2d in X, Y and Z. For every branch P above a singular point 
S E C (assuming for example that S has non-zero Z-coordinate) we replace in F(£, 1) the 
affine coordinates x = ^ and y = ^ by their expansions as series in the local parameter tp at 
this branch. We ask the resulting series in tp to have valuation at least the multiplicity of P in the 
conductor <£. Every singular branch thus produces linear equations in the e 0) & )C . The collection of 
all such equations defines the subspace H c . 

A basis for the subspace K c C H c C Sc consists of all X a Y b Z c E(X, Y, Z) with a + b + c = 
d. We fix a supplementary space M c to in H c and assimilate 7ic to it. 

Given a homogeneous form in three variables one can compute its divisor on X using re- 
sultants and the given expansions of affine coordinates in terms of the local parameters at every 
singular branch. A function is given as a quotient of two forms. 

3.4 The Brill-Noether algorithm 

Linear spaces of forms computed in the previous paragraph allow us to compute in the group 
j7"(F g ) of F g -points in the jacobian of X. We fix an effective F 9 -divisor u with degree g on X. 
This uj will serve as an origin: a point a E J7(F g ) is represented by a divisor A — cu in the 
corresponding linear equivalence class, where A is an effective F^-divisor with degree g. Given 
another point (3 E Ji¥ q ) by a similar divisor B — cu, we can compute the space 7i 2 d( _ £ — A — B) 
which is non-trivial and pick a non-zero form fi in it. The divisor of f\ is (/i) = A + B + £ + R 
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where R is an effective divisor with degree 2d 2 — 2g — 25. The linear space H2d{—£- — R — w) 
has dimension at least 1. We pick a non-zero form f 2 in it. It has divisor (f 2 ) = € + R + uj + D 
where D is effective with degree g. And D — uj is linearly equivalent to A — uj + B — uj. 

In order to invert the class a of A — uj we pick a non-zero form fi in 7i2d(— £ — 2uS). The 
divisor of f\ is (/i) = 2uj + <£ + R where R is an effective divisor with degree 2d 2 — 2g — 25. 
The linear space 7i 2f z(— £ — -R — A) has dimension at least 1. We pick a non-zero form f 2 in it. 
It has divisor (/ 2 ) = £ + i? + A + £> where B is effective with degree g. And £> — uj is linearly 
equivalent to — (A — cu). 

This algorithm works just as well if we replace <£ by some D > <£ having polynomial degree 
in d. 

Lemma 1 (Arithmetic operations in the jacobian) Let C/¥ q be a degree d plane projective 
absolutely irreducible reduced curve. Let g be the geometric genus of C. Assume we are given 
the smooth model XofC and a ¥ q -divisor with degree g on X, denoted uj. We assume uj is given 
as a difference between two effective divisors with degrees bounded by a polynomial in d. This uj 
serves as an origin. Arithmetic operations in the Picard group Pic°(Af/F g ) can be performed in 
time polynomial in log q and d. This includes addition, substruction and comparison of divisor 
classes. 

If uj is not effective, we use lemma [2] below to compute a non-zero function / in C(u) and 
we write uj' = (f) + uj. This is an effective divisor with degree g. We replace uj by uj' and finish 
as in the paragraph before lemma Q] □ 

We now recall the principle of the Brill-Noether algorithm for computing complete linear 
series. Functions in¥ q (X) are represented as quotients of forms. 

Lemma 2 (Brill-Noether) There exists an algorithm that on input a degree d plane projective 
absolutely irreducible reduced curve C/¥ q and the smooth model XofC and two effective ¥ q - 
divisors A and B on X, computes a basis for C(A — B) in time polynomial in d and logg and 
the degrees of A and B. 

We assume deg(A) > deg(B), otherwise C(A — B) = 0. Let a be the degree of A. We let h 
be the smallest integer such that h > 2d and hd + g + 1 > a + (d — i)(d — 2). 

So the space 7ih{—€, — A) is non-zero. It is contained in the image of the restriction map 
p : Sh — * 7~Ch so that we can represent it as a subspace of Sh- We pick a non-zero form / in 
Hh(-€ - A) and compute its divisor (/) = € + A + D. 

The space TCh{— £ — B — D) is contained in the image of the restriction map p : Sh — » Ti-h 
so that we can represent it as a subspace of Sh- We compute forms 7 1? 72, 7^ in Sh such that 
their images by p provide a basis for 7ih{—€ — B — D). A basis for C(A — B) is made of the 
functions y , y , y . Again this algorithm works just as well if we replace £ by some D > £ 
having polynomial degree in d. □ 

We deduce an explicit moving lemma for divisors. 

Lemma 3 (Moving divisor lemma I) There exists an algorithm that on input a degree d plane 
projective absolutely irreducible reduced curve C /¥ q and the smooth model XofC and a degree 



8 



zero W q -divisor D = D + — D~ and an effective divisor A with degree < q on X computes a 
divisor E = E + — E~ linearly equivalent to D and disjoint to A in time polynomial in d and 
log q and the degrees ofD + , and A. Further the degree of E + and E~ can be taken to be < 2gd. 

Let O be an F^-rational divisor on X such that 1 < deg(O) < d and disjoint to A. We may 
take O to be a well chosen fiber of some plane coordinate function on X. We compute the linear 
space £ = C(D + -D~ + 2gO). The subset of functions / in £ such that (/) +D+-D~ + 2gO 
is not disjoint to A is contained in a union of at most deg(A) < q hyperplanes. We conclude 
invoking lemma 0] below. □ 

There remains to state and prove the 

Lemma 4 (Solving inequalities) Let q be a prime power, d > 2 and n > 1 two integers and let 
Hi, H n be hyperplanes inside V = F^, each given by a linear equation. Assume n < q. There 
exists a deterministic algorithm that finds a vector in U = V — IJi<fc<n in time polynomial 
in log q, d and n. 

This is proved by lowering the dimension d. For d = 2 we pick any affine line L'mV not 
containing the origin. We observe that there are at least q—n points in U flL = L—{J 1<k<n LnH k . 
We enumerate points in L until we find one which is not in any H k . This requires at most n + 1 
trials. 

Assume now d is bigger than 2. Hyperplanes in V are parametrized by the projective space 
¥(V) where V is the dual of V. We enumerate points in F(V) until we find a hyperplane K 
distinct from every H k . We compute a basis for K and an equation for every H k fl K in this 
basis. This way, we have lowered the dimension by 1. □ 

We can strengthen a bit the moving divisor algorithm by removing the condition that A has 
degree < q. Indeed, in case this condition is not met, we call a the smallest integer such that 
q a > deg(A) and we set /3 = a + 1. We apply lemma [3] after base change to the field with q a 
elements and find a divisor E Q . We call e a the norm of E a from F qa to F q . It is equivalent to 
o>D. We similarly construct a divisor ep that is equivalent to (a + 1)D. We return the divisor 
E = ep — e a . We observe that we can take a < 1 + log g deg(A) so the degree of the positive 
part E + of E is < 6pd(log,(deg(A)) + 1). 

Lemma 5 (Moving divisor lemma II) There exists an algorithm that on input a degree d plane 
projective absolutely irreducible curve C/F q and the smooth model X of C and a degree zero 
F q -divisor D = D + — D~ and an effective divisor A on X computes a divisor E = E + — E~ 
linearly equivalent to D and disjoint to A in time polynomial in d and log q and the degrees of 
D + , and A. Further the degree of E + and E~ can be taken to be < 6g f rf(log (deg(A)) + 1). 

4 A first approach to picking random divisors 

Given a finite field F q and a plane projective absolutely irreducible reduced curve C over F q with 
projective smooth model X, we call J the jacobian of X and we consider two related problems: 
picking a random element in J(F q ) with (close to) uniform distribution and finding a generating 
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set for (a large subgroup of) J(¥ q ). Let g be the genus of X. We assume we are given a degree 
1 divisor O = + — 0~ where + and 0~ are effective, F 9 -rational and have degree bounded 
by an absolute constant times g. 

We know from 11261 Theorem 2] that the group Pic c \X /F ' q ) is generated by the classes [p — 
deg(p)0] where p runs over the set of prime divisors of degree < 1 + 2 log„(4<? — 2). For the 
convenience of the reader we quote this result as a lemma. 

Lemma 6 (Mtiller, Stein, Thiel) Let K be an algebraic function field of one variable over ¥ q . 
Let N > be an integer. Let g be the genus of K. Let \ '■ Div(X) — > C* be a character of 
finite order which is non-trivial when restricted to Div°. Assume that x(93) = 1/or every prime 
divisor 03 of degree < N. Then 

N <21og ? (4<7-2). 

If q < Ag 2 , the number of prime divisors of degree < 1 + 2 \og q (Ag — 2) is bounded by Og° . 
So we can compute easily a small generating set for J(¥ q ). 

In the rest of this section, we will assume that the size q of the field is greater than or equal 
to Ag 2 . This condition ensures the existence of a F^-rational point. 

Picking efficiently and provably random elements in Ji¥ q ) with uniform distribution seems 
difficult to us. We first give here an algorithm for efficiently constructing random divisors with 
a distribution that is far from uniform but still sufficient to construct a generating set for a large 
subgroup of J(¥ q ). Once given generators, picking random elements becomes much easier. 

Let r be the smallest prime integer bigger than 30, 2g — 2 and d. We observe r is less than 
max(4# -4, 2d, 60). 

The set V(r, q) of F g -places with degree r on X has cardinality 



So 



#X(¥ qr ) - #X(F q 



1Q- 2 )^- < #V(r,q) < (1 + 10- 



r 



Indeed, \#X(F q r) - q r - 1| < 2gq2 and |#AT(F ff ) - q - 1| < 2gq^. 

So \ #V(r,q) - f | < < 8gi and 8rg^ < r2 3 "5 < 10" 2 since r > 31. 

Since we are given a degree d plane model C for the curve X, we have a degree d map 
x : X — > P 1 . Since d < r, the function a; maps V(r,q) to the set U(r,q) of monic prime 
polynomials of degree r over F 9 . The cardinality of W(r, g) is so 

(l-10- 9 )^<#W(r,g)<^. 

The fibers of the map x : V(r, q) — > ZY(r, g) have cardinality between and 
We can pick a random element in U(r, q) with uniform distribution in the following way: we 
pick a random monic polynomial of degree r with coefficients in ¥ q , with uniform distribution. 
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We check whether it is irreducible. If it is, we output it. Otherwise we start again. This is 
polynomial time in r and log q. 

Given a random element in U(r, q) with uniform distribution, we can compute the fiber of 
x : V(r, q) — > U(r, q) above it and, provided this fiber is non-empty, pick a random element in 
it with uniform distribution. If the fiber is empty, we pick another element in U(r, q) until we 
find a non-empty fiber. At least one in every d x (0.99) -1 fibers is non-empty. We thus define a 
distribution /i on V(r, q) and prove the following. 

Lemma 7 (A very rough measure) There is a unique measure fi on V(r, q) such that all non- 
empty fibers of the map x : V(r, q) — > U(r, q) have the same measure, and all points in a given 
fiber have the same measure. There exists a probabilistic algorithm that picks a random element 
in V(r, q) with distribution fx in time polynomial in d and log q. For every subset Z ofV(r, q) the 
measure p,(Z) is related to the uniform measure jpp{rq) ^ 

* z < K z)< d * z 



d#V(r } q) ' - #p(r,q) 

Now let V(r, q) be the set of effective F g -divisors with degree r on X. Since we have assumed 
q > 4g 2 we know that X has at least one ¥ q -rational point. Let be a degree r effective divisor 
on X/W q . We associate to every a in V(r, q) the class of a— il in J(¥ q ). This defines a surjection 
J r . : V(r, q) -> J(¥ q ) with all its fibers having cardinality #P r - 9 (F g ). 

So the set T>(r, q) has cardinality ^^±#J(W q ). 

So 



1 J_ 1 

#P(r,q) < #V(r,q) < q r ~ 9 q 9 (l + —f 9 . 

l ~- q 

Since q > Ag 2 we have #P(r, q) < 2eq r . 

Assume G is a finite group and ip an epimorphism of groups ip : J(J? q ) — > G. We look for 
some divisor A e T>(r, q) such that ip(J r (A)) ^ G G. Since all the fibers of ip o J r have the 
same cardinality, the fiber above has at most elements. So the number of prime divisors 
A G V(r, q) such that ip(J r (A)) is not is at least q r (^- - We assume #G is at least 12r. 
Then at least half of the divisors in V(r, q) are not mapped onto by ip o J r . The yU-measure of 
the subset consisting of these elements is at least h.. 

So if we pick a random A in V(r, q) with yU-measure as in lemma|71 the probability of success 
is at least ^. If we make 2d trials, the probability of success is > 1 — exp(— 1) > |. 

Lemma 8 (Finding non-zero classes) There exists a probabilistic (Monte-Carlo) algorithm that 
takes as input 

1. a degree d and geometric genus g plane projective absolutely irreducible reduced curve C 
over W q , such that q > Ag 2 , 

2. the smooth model X of C, 
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3. a degree g effective divisor uj, as origin, 

4. an epimorphism ip : Pic°(X /¥ q ) — > G (that need not be computable) such that the cardi- 
nality ofG is at least max(48g, 24d, 720), 

and outputs a sequence of 2d elements in Pic°(A'/Fq) such that at least one of them is not in the 
kernel ofip with probability > |. The algorithm is polynomial time in d and log q. 

As a special case we take G = G = J{¥ q ) and ip = ijj the identity. Applying lemma 
[8] we find a sequence of elements in Ji¥ q ) out of which one at least is non-zero (with high 
probability). We take G\ to be quotient of G by the subgroup generated by these elements and 
tpi the quotient map. Applying the lemma again we construct another sequence of elements 
in J{¥ q ) out of which one at least is not in Go (with high probability). We go on like that 
and produce a sequence of subgroups in J{¥ q ) that increase with constant probability until the 
index in Ji¥ q ) becomes smaller than max(48g, 24<i, 720). Note that every step in this method is 
probabilistic: it succeeds with some probability, that can be made very high (exponentially close 
to 1) while keeping a polynomial overall complexity. 

Lemma 9 (Finding an almost generating set) There exists a probabilistic (Monte-Carlo) al- 
gorithm that takes as input 

1. a degree d and geometric genus g plane projective absolutely irreducible reduced curve C 
over F q , such that q > Ag 2 , 

2. the smooth model X of C, 

3. a degree g effective divisor uj, as origin, 

and outputs a sequence of elements in Pic°(A'/F g ) that generate a subgroup of index at most 

max(48#, 24d, 720) 
with probability > |. The algorithm is polynomial time in d and log q. 

Note that we do not catch the whole group J(F q ) of rational points but a subgroup A with 
index at most l = max(48g, 24<i, 720). This is a small but annoying gap. In the sequel we shall 
try to compute the ^-torsion of the group J7(F 9 ) of rational points. Because of the small gap in 
the above lemma, we may miss some ^-torsion points if £ is smaller than l. However, let k be an 
integer such that £ k > l. And let x be a point of order £ in J(W q ). Assume there exists a point y 
in J{F q ) such that x = £ k ~ 1 y. The group < y > generated by y and the group A have non-trivial 
intersection because the product of their orders is bigger than the order of j7(F g ). Therefore x 
belongs to A. 

Our strategy for computing J{¥ q ) [£} will be to find a minimal field extension Fq of ¥ q such 
that all points in J(F q ) [£] are divisible by £ k ~ l in J{¥q). We then shall apply the above lemma 
to J{¥q). To finish with, we shall have to compute J{¥ q ) as a subgroup of J(¥q). To this end, 
we shall use the Weil pairing. 
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5 Pairings 



Let n be a prime to p integer and J a jacobian variety over ¥ q . The Weil pairing relates the full 
n-torsion subgroup J(¥ q ) [n] with itself. It can be defined using Kummer theory and is geometric 
in nature. The Tate-Lichtenbaum-Frey-Ruck pairing is more cohomological and relates the re- 
torsion J(W q )[n] in the group of ¥ q -rational points and the quotient J(¥ q )/nJ(¥ q ). In this 
section, we quickly review the definitions and algorithmic properties of these pairings, following 
work by Weil, Lang, Menezes, Okamoto, Vanstone, Frey and Ruck. 

We first recall the definition of Weil pairing following [|20l . Let k be an algebraically closed 
field with characteristic p. For every abelian variety A over k, we denote by Z (A) the group 
of 0-cycles with degree and by S : Z (A) Q — > A the summation map, that associates to every 
0-cycle of degree the corresponding sum in A. 

Let V and W be two projective non- singular irreducible and reduced varieties over k, and let 
a : V — > A and j3 : W — » B be the canonical maps into their Albanese varieties. Let Dbea 
correspondence on V x W . Let n > 2 be a prime to p integer. Let a (resp. b) be a 0-cycle of 
degree on V (resp. W) and let a = S(a(a)) (resp. b = S((3(b))) be the associated point in A 
(resp. B). Assume na = nb = 0. The Weil pairing e ni c(a, b) is defined in ll20l VI, §4, Theorem 
10]. It is an n-th root of unity in k. It depends linearly in a, b and D. 

Assume V = W = X is a smooth projective irreducible and reduced curve over k and 
A = B = J is its jacobian and a = (3 = f : X — > J h the Jacobi map (once an origin on X 
has been chosen). If we take D to be the diagonal on X x X we define a pairing e n) £>(a, b) that 
will be denoted e n (a, b) or e n> #(a, 6). It does not depend on the origin for the Jacobi map. It is 
non-degenerate. 

The jacobian J is principally polarized. We have an isomorphism A : J — » J between J 
and its dual J . If a is an endomorphism a : J7" — > J , we denote by 'a its transpose *a : J — > '. 
If Z) is a divisor on JZ that is algebraically equivalent to zero, the image by t a of the linear 
equivalence class of D is the linear equivalence class of the inverse image a^ 1 (D). See Il2~0l V, 
§1], The Rosati dual of a is defined to be a* = A -1 o l a o A. The map a — » a* is an involution, 
and a* is the adjoint of a for the Weil pairing 

e n>x {a,a(b)) = e n>x (a*(a),b) ( 1 ) 

according to EOl VII, §2, Proposition 6]. 

If y is another smooth projective irreducible and reduced curve over k and K, its jacobian 
and <{) : X ^ y a non-constant map with degree d, and (jf : /C — > J" the associated map between 
jacobians, then for a and 6 of order dividing n in /C one has e n) ^(0*(a), </>*(&)) = e nj y(a, 

The Frey-Riick pairing can be constructed from the Lichtenbaum version of Tate's pairing 
ll22l as was shown in lfl4l . Let q be a power of p. Let again n > 2 be an integer prime to p 
and X a smooth projective absolutely irreducible reduced curve over ¥ q . Let g be the genus of 
X. We assume n divides q — 1. Let JZ be the jacobian of A\ The Frey-Riick pairing {, } n : 
JXFg) M x J(¥ q ) /nj(¥ q ) -»■ F*/(F*) n is defined as follows. We take a class of order dividing 
n in j7"(F g ). Such a class can be represented by an F^-divisor D with degree 0. We take a class in 
Ji¥ q ) and pick a degree zero F 9 -divisor in this class, that we assume to be disjoint to D. The 



13 



pairing evaluated at the classes [D] and [E\ mod n is {[D], [E\ mod n} n = f{E) mod (F*) n 
where / is any function with divisor nD. This is a non-degenerate pairing. 

We now explain how one can compute the Weil pairing, following work by Menezes, Okamo- 
to, Vanstone, Frey and Ruck. The Tate-Lichtenbaum-Frey-Ruck pairing can be computed simi- 
larly. 

As usual, we assume we are given a degree d plane model C for X. Assume a and b have dis- 
joint support (otherwise we may replace a by some linearly equivalent divisor using the explicit 
moving lemma [H) We compute a function <p with divisor na. We similarly compute a function 
if> with divisor nb. Then e n (a, b) = This algorithm is polynomial in the degree d of C and 
the order n of the divisors, provided the initial divisors a and b are given as differences between 
effective divisors with polynomial degree in d. 

Using an idea that appears in a paper by Menezes, Okamoto and Vanstone [|24l in the context 
of elliptic curves, and in [fT4l for general curves, one can make this algorithm polynomial in log n 
in the following way. We write a = a = — % where and Oq are effective divisors. Let <\> 
be the function computed in the above simple minded algorithm. One has {fa) = uOq — na^ . We 
want to express as a product of small degree functions. We use a variant of fast exponentiation. 
Using lemma [3] we compute a divisor Oi = — and a function (pi such that cii is disjoint 
to b and {fa) — a± — 2a and such that the degrees of a^ and a± are < 6gd{\og q {deg{b)) + 1). 
We go on and compute, for k > 1 an integer, a divisor a k = — af, and a function fa such 
that a k is disjoint to b and {fa) = a k — 2a k -i and such that the degrees of and a k are 
< 6gd{\og (deg(b)) + 1). We write the base 2 expansion of n = J2 i e k 2 k with e k G {0, 1}. We 
compute the function ^ with divisor J2 k e k (Xk- We claim that the function (f> can be written as a 
product of the for k < log 2 n, and ^ with suitable integer exponents bounded by n in absolute 
value. Indeed we write /ii = fa, /i 2 = fa4>l, ^ = fa<f)\<f)\ and so on. We have {fi k ) = a k — 2 k a 
and ^fc ek nas divisor na so is the <f) we were looking for. 

Lemma 10 (Computing the Weil pairing) There exists an algorithm that on input an integer 
n > 2 prime to q and a degree d absolutely irreducible reduced plane projective curve C over 
¥ q and its smooth model X and two ¥ q -divisors on X, denoted a = a + — a~ and b = b + — b~, 
with degree 0, and order dividing n in the jacobian, computes the Weil pairing e n {a, b) in time 
polynomial in d, log q, log n and the degrees ofa + , a~, b + , b~, the positive and negative parts of 
a and b. 

Lemma 11 (Computation of Tate-Lichtenbaum-Frey-Ruck pairings) There exists an algo- 
rithm that on input an integer n > 2 dividing q — 1 and a degree d absolutely irreducible 
reduced plane projective curve C over ¥ q and its smooth model X and two ¥ q -divisors on X, 
denoted a = o + — cT and b = b + — b~, with degree 0, and such that the class of a has order 
dividing n > 2 in the jacobian, computes the Tate-Lichtenbaum-Frey-Ruck pairing {a, b} n in 
time polynomial in d, logq, logn and the degrees of a + , or, b + , b~ , the positive and negative 
parts of a and b. 
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6 Divisible groups 



Let ¥ q be a finite field with characteristic p and let X be a. projective smooth absolutely irre- 
ducible reduced algebraic curve over ¥ q . Let g be the genus of X and let £ ^ p be a prime 
integer. We assume g > 1. Let J" be the jacobian of X and let End(J"/F 9 ) be the ring of endo- 
morphisms of J over ¥ q . Let F q be the Frobenius endomorphism. In this section we study the 
action of F q on £ k -torsion points of J . We first consider the whole £ fc -torsion group. We then 
restrict to some well chosen subgroups where this action is more amenable. 

Let X (X) be the characteristic polynomial of F q e End(j7"/F g ). The Rosati dual to F q is 
q/F q . Let O = Z[X]/ X (X) and O t = Z e [X]/ X (X). We set <p q = X mod X (X) E O. Mapping 
Lp q onto F q defines an epimorphism from the ring O onto Z\F q \. In order to control the degree of 
the field of definition of £ fe -torsion points we shall bound the order of ip q in (O / £ k O)* . 

We set U x = (O/iO)* = (¥ e [X]/ X (X))*. Let the prime factorization of X (X) mod £ be 
HiXiiXy* with deg(xi) = U The order of U x is T]^ (ei " 1)/l (^ - !)• Let 7 be the smallest 
integer such that t 1 is bigger than or equal to 2g. Then the exponent of the group U\ divides 
A 1 = PUii^ ~ !)■ We set fix = - 1) and C x = V. There is a unique polynomial 

Mi (A") E Z[X] with degree < 2g such that = M x (ip q ) G C. 

Now for every positive integer k, the element ip q belongs to the unit group U k = (0/£ k O)* 
of the quotient algebra 0/£ k O = Z[X]/(£ k , X (X)). The prime factorization of X {X) mod £ 
is lifted modulo £ k as fli^PO w i m monic and deg(Sj) = Cifi, and the order of Uk is 
[j^/i(fcei-i)^/i _ 1). xhe exponent of the latter group divides A k = A x £ k ~ x . So we set B k = 
B 1 = n^ /l - 1) and C k = d^" 1 = £ k ~ 1 +\ There is a unique polynomial M k (X) e Z[X] 

with degree < deg(x) such that ip " ^ = M k ((p q ) e O. 

For every integer N > 2 we can compute M k (X) mod iV from X (X) in probabilistic poly- 
nomial time in log q, log £, log N, k, g: we first factor X (X) mod £ then compute the X i an d the 
ei and fi. We compute I' 1 ' modulo (x(A),£ fc iV) using fast exponentiation. We remove 1 and 
divide by £ k . 

Lemma 12 (Frobenius and ^-torsion) Let k be a positive integer and £ 7^ p a prime. Let X (X) 
be the characteristic polynomial of the Frobenius F q of J j¥ q . Let Ci and fi be the multiplicities 
and inertiae in the prime decomposition of X (X) mod L Let 7 be the smallest integer such that 
t 1 is bigger than or equal to 2g. Let B = H0 1 - 1). Let C k = £ k ~ 1+ ^ and A k = BC k . 
The £ k -torsion in J splits completely over the degree A k extension of ¥ q . There is a degree 
< 2g polynomial M k {X) e Z[X] such that F^ k = 1 + £ k M k (F q ). For every integer N one 
can compute such a M k (X) mod N from X (X) in probabilistic polynomial time in logg, log£, 
log N, k, g. 

In order to state sharper results it is convenient to introduce ^-divisible subgroups inside the 
£°° -torsion of a jacobian J, that may or may not correspond to sub varieties. We now see how to 
define such subgroups and control their rationality properties. 

Lemma 13 (Divisible group) LetYi : J[£°°] — > J[£°°] be a group homomorphism whose restric- 
tion to its image G is a bijection. Multiplication by £ is then a surjection from G to itself. We 
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denote by G[£ k ] the £ h -torsion in G. There is an integer w such that G[£ h ] is a free Z/£ fc Z module 
of rank w for every k. We assume that U commutes with the Frobenius endomorphism F q . We 
then say G is the divisible group associated with EL From Tate 's theorem ft30\l II is induced by 
some endomorphism in End(jT/F g ) ®i TLi and we can define II* the Rosati dual o/TI and denote 
by G* = Im(n*) the associated divisible group, that we call the adjoint ofG. 

Remark 3 The dual G* does not only depend on G. It may depend on U also. 

Remark 4 We may equivalently define II* as the dual of Tl for the Weil pairing. See formula ([7]). 

We now give an example of divisible group. Let F(X) = F\ (X) and G(X) = G\ (X) be two 
monic coprime polynomials in F^[X] such that xPO = Fi{X)G\ (X) mod £. From Bezout's 
theorem we have two polynomials H\{X) and K\{X) in F^[X] such that FiHi + G\K\ = 1 
and deg(i/x) < deg(Gi) and deg(X!) < deg(-Fi). From Hensel's lemma, for every positive 
integer k there exist four polynomials Fp.(X), Gk(X), H k (X) and K k (X) in (Z/£ k Z)[X] such 
that F k and G k are monic and x(X) = F k (X)G k (X) mod £ k and F k H k + G k K k = 1 mod £ k 
and deg(H k ) < deg(Gi) and deg(K k ) < deg(Fi) and F x = F k mod £, G\ — G k mod £, 
H x = H k mod i, K x = K k mod L The sequences (F k ) k , (G k ) k , (H k ) k , (K k ) k converge in 
Z £ [X] to F , G , H , K . 

If we substitute F q for X in F H we obtain a map EI G : J[£°°] J[£°°] and similarly, if 
we substitute F q for X in GoK we obtain a map Eli?. It is clear that Ef^ = EI^ and 11^. = IIg 
and EI ^ + Etc = 1 and HfIEs = 0. We call = Im(EIi?) and Gq = Ihi(IIg) the associated 
supplementary ^-divisible groups. 

Definition 1 (Characteristic subspaces) For every non-trivial monic factor F(X) ofx(X) mod 
£ such that the cofactor G = x/F mod £ is prime to F, we write x = -^o^o the corresponding 
factorization in Zg[X]. The £-divisible group Gp is called the F -torsion in J\£°°\ and is denoted 
J\£°° , Fq\. It is the characteristic subspace ofF q associated with the factor F. IfF = (X — l) e is 
the largest power of X — 1 dividing x(X) mod £ we abbreviate G^x-iy = G\. If F = (X — q) e 
then we write similarly G^x- q y = G q = G^. 

We now compute fields of definitions for torsion points inside such divisible groups. The 
action of F q on the £ fc -torsion Gp[^*] = J[£ k , F ] inside Gp factors through the smaller ring 
O e /(£ k , F (tp q )) = Z e [X]/(£ k , F ). We deduce the following. 

Lemma 14 (Frobenius and F -torsion) Let k be a positive integer and £ ^ p a prime. Let 
x(X) be the characteristic polynomial of the Frobenius F q of J. Let \ = FG mod £ with F 
and G monic coprime. Let and f be the multiplicities and inertiae in the prime decomposition 
of F(X) mod I. Let 7 be the smallest integer such that V is bigger than or equal to 2g. Let 
B(F) = Yli(£ fi - !)• Let C k(F) = £ k ~ 1 ^ and A k (F) = B(F)C k (F). The £ k -torsion in G F 
splits completely over the degree A k (F) extension of¥ q . There is a degree < deg(F) polynomial 
M fc (X) G Z £ [X] such that Ii F F q k{F) = U F + £ k U F M k (F q ). For every power N of £, one can 
compute such an M k (X) modulo N from x{X) and F(X) in probabilistic polynomial time in 
log q, log £, log X, k, g. 
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If we take for F the largest power of X — 1 dividing mod £ in the above lemma, we 
can take B(F) = 1 so A k (F) is an £ power < 2g£ k . 

If we take for F the largest power of X — q dividing mod £ in the above lemma, we 

have B{F) = £ - 1 so A k {F) is < 2g{£ - l)£ k . 

So the characteristic spaces associated with the eigenvalues 1 and q split completely over 
small degree extensions of ¥ q . 

7 The Kummer map 

Let X be a smooth projective absolutely irreducible reduced curve over ¥ q of genus g and J the 
jacobian of X. Let n > 2 be an integer dividing q — 1. We assume g> > 1. In this section, we 
construct a convenient surjection from J(¥ q ) to J(¥ q )[n\. 

If P is in Ji¥ q ) we take some R E J(¥ q ) such that nR = P and form the 1-cocycle 
( a R — R) a in H 1 (¥ q , J[n\). Using the Weil pairing we deduce an element 

□ h-> (e n ( CT it: 

in 

Hom( l 7M(F g ),iJ 1 ( /Un )) = Hom( t 7[n](F,), Hom(Gal(F,), /x n )). 

The map that sends P mod nj7"(F g ) to □ i— > (e n ( a R — R, n)) CT is injective because the 
Frey-Riick pairing is non-degenerate. We observe that Hom(Gal(F g ), /i n ) is isomorphic to fx n : 
giving an homomorphism from Gal(F 9 ) to /i n is equivalent to giving the image of the Frobenius 
generator F q . We obtain a bijection T n (J from J{¥ q )/nJ{¥ q ) to the dual Hom(j7"[n](F g ), fi n ) 
of J7"[w](F ? ) that we call the Tate map. It maps P onto □ i— > e n ( Fq R — R, □). If ^[n] splits 
completely over F g we set K ntq (P) = Fq R — R and define a bijection K n <q : j7"(Fg)/nJ"(F g ) — > 
J[n}{¥ q ) = J[n] that we call the Kummer map. 

Definition 2 (The Kummer map) Let J"/F g be a jacobian and n > 2 an integer. Assume J[n\ 
splits completely over ¥ q . For P in ^(F^) we choose any R in j7"(F g ) such that nR = P and we 
set K nA (P) = Fq R — R. This defines a bijection 

K n , q : J(¥ q )/nJ(¥ q ) - J[n](¥ q ) = J\n\. 

We now assume that n = £ k is a power of some prime integer £ ^ p. We also make the 
(strong !) assumption that J[n\ splits completely over ¥ q . We want to compute the Kummer map 
K n:(] explicitly. Let P be an Fg-rational point in J. Let R be such that nR = P. Since F q — 1 
kills J\n\, there is an Fg-endomorphism k of J such that F q — 1 = n/t. We note that k belongs to 
® z Q = Q[F g ] and therefore commutes with F g . We have n{P) = (F q - 1)(R) = K n q (P) 
and k(P) is F 9 -rational. 

Computing the Kummer map will be seen to be very useful but it requires that J[n\ splits 
completely over ¥ q . In general, we shall have to base change to some extension of ¥ q . 
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Let x{X) be the characteristic polynomial of F q and let B = Yli(^* ~ 1) where the fa are 
the degrees of prime divisors of x{X) (mod £). Let f be the smallest power of £ that is bigger 
than or equal to 2g. Let C k = p+ k ~ 1 and A k = BC k . Set Q = q Ak . From lemma [12] there is 
a polynomial M^(X) such that Fq = 1 + £ k M k (F q ). So, for P an FQ-rational point in J7" and 
R such that nil! = P, the Kummer map i^ n ,Q applied to P is M k (F q )(P) = (F Q - 1)(R) = 
K n> Q(P) and this is an FQ-rational point. 

Lemma 15 (Computing the Kummer map) Let J '/¥ q be a jacobian. Let g > 1 be its dimen- 
sion. Let £ 7^ p be a prime integer and n = £ k a power of £. Let x(X) be the characteristic 
polynomial of F q and let B = ~~ 1) wnere the fa are the degrees of prime divisors ofx(X) 

(mod £). Let f be the smallest power of t that is bigger than or equal to 2g. Let C k = 
and A k = BC k . Set Q = q Ak and observe that n divides Q — 1 because J\n] splits completely 
over Fq. There exists an endomorphism k G %[F q ] of J such that uk = Fq — 1 and for every 
FQ-rational point P and any R with nR = P one has k(P) = (Fq — 1)(R) = K n> Q(P). This 
endomorphism k induces a bijection between J(¥o)/nJ(¥Q) and J[n}(¥Q) = J[n]. Given 
x{X) and a positive integer N one can compute k mod N as a polynomial in F q with coefficients 
in Z/NZ in probabilistic polynomial time in g, logi, logg, k, log N. 

This lemma is not of much use in practice because the field Fq is too big. On the other hand, 
we may not be interested in the whole n-torsion in J but just a small piece in it, namely the 
n-torsion of a given divisible group. 

So let t ^ p be a prime integer and G an ^-divisible group in J\t°°\ and II = II 2 : J7"[£°°] — > 
G a projection onto it. Let n = £ k and let Q be a power of q such that G[n] splits completely 
over Fq. Let P be an FQ-rational point in G. Let R E G(¥ q ) be such that nR = P. We set 
K&,u,q{P) — Fq R — R and define an isomorphism 

K G ^ Q : Gi¥ Q )/nG(¥ Q ) - G(¥ Q )[n] = G[n]. 

In order to make this construction explicit, we now assume that there exists some k E Z(\F q ] 
such that H(Fq — 1 — tik) = 0. Lemma [14] provides us with such a Q and such a k when 
G = J'li 00 , F ] is some characteristic subspace. 

We now can compute this new Kummer map K&^q. Let P be an FQ-rational point in G. Let 
R E G be such that nR = P. From (Fq - 1 - nK)U(R) = = (Fq - 1 - uk) (R) we deduce 
that K G ^ Q (P) = k(P). Hence the 

Lemma 16 (The Kummer map for a divisible group) Let J/¥ q be a jacobian. Let g be its 
dimension. Let t ^ p be a prime integer and n = £ k a power of t. We assume g > 1. Let 
x{X) be the characteristic polynomial of F q . Assume x(X) = F(X)G(X) mod £ with F and 
G monic coprime polynomials in Wf[X] and let Gf be the associated i-divisible group. Let 
B — (£ — 1) fj i (^ , ' < — 1) where the fa are the degrees of prime divisors of F(X) (mod £). 
Let f be the smallest power of £ that is bigger than or equal to 2g. Let C k = £ k ~ 1+ ~f and 
A k = BC k . Set Q = q Ak . From lemma U4\ there exists an endomorphism k E Zi[F q ] such 
that Tlp^n — Fq + 1) = and for every WQ-rational point P E Gp and any R E Gp with 
nR = P one has k(P) = (Fq — l)(R) = Kg jJI} q(P). This endomorphism k induces a bijection 



18 



between Gf(Fq) /wGf(Fq) and Gf[^](Fq) = Gf[n]. Given x(X) and F(X) and a power N 
off., one can compute k mod N as a polynomial in F q with coefficients in Z/iVZ in probabilistic 
polynomial time in g, log £, log q, k, log N. 

8 Linearization of torsion classes 

Let C be a degree d plane projective absolutely irreducible reduced curve C over ¥ q with geo- 
metric genus g > 1, and assume we are given the smooth model ,Y of C. We also assume we 
are given a degree 1 divisor O = + — 0~ where + and O are effective, F g -rational and have 
degree bounded by an absolute constant times g. 

Let J be the jacobian of X. We assume I p is a prime integer that divides #i7(F g ). Let 
n = £ k be a power of We want to describe j7(Fg) by generators and relations. 

If X\, x 2 , . . . , xj are elements in a finite commutative group G we let 1Z be the kernel of the 
map £ : Z 7 — > G defined by £(ai, • • • , a/) = £V a^. We call 1Z the lattice of relations between 
the %i. 

We first give a very general and rough algorithm for computing relations in any finite com- 
mutative group. 

Lemma 17 (Finding relations in blackbox groups) Let G be a finite and commutative group 
and let x\, x% xj be elements in G. A basis for the lattice of relations between the x; t can be 
computed at the expense of3I#G operations (or comparisons) in G. 

We first compute and store all the multiples of X\. So we list 0, X\, 2x±, . . . until we find the 
first multiple eiXi that is equal to zero. This gives us the relation r x = (ei, 0, . . . , 0) E TZ. This 
first step requires at most o = #G operations in G and o comparisons. 

We then compute successive multiples of x 2 until we find the first one e 2 x 2 that is in L\ = 
{0, X\, . . . , (ei — l)x\}. This gives us a second relation r 2 . The couple (ri, r 2 ) is a basis for the 
lattice of relations between x\ and x 2 . Using this lattice, we compute the list L 2 of elements in 
the group generated by x\ and x 2 . This second step requires at most 2o operations and e\t 2 < o 
comparisons. 

We then compute successive multiples of z 3 until we find the first one e 3 x 3 that is in L 2 . This 
gives us a third relation r 3 . The triple (ri,r 2 , r 3 ) is a basis for the lattice of relations between x\, 
x 2 and x 3 . Using this lattice, we compute the list L 3 of elements in the group generated by x\, 
x 2 and x 3 . This third step requires at most 2o operations and o comparisons. And we go on like 
this. □ 

This is far from efficient unless the group is very small. 

We come back to the computation of generators and relations for J{¥ q ) [£ k ]- 

Let B = £ — 1. Let f be the smallest power of £ that is bigger than or equal to 2g and let 
A k = Bf +k -\ We set Q k = q A K 

If we take for F a power of X — 1 in definition Q] and lemma [T6l we obtain two surjective 
maps ^ : J(¥ Qk )[£°°] - G^FqJ and K^ Ah : G 1 (¥ Qk ) - G^}. 

If we now take for F a power of X — q in definition Q] and lemma [T6l we obtain two surjective 
maps Tl q : J(W Qk )[£°°] - G,(F Q J and K Gq/k>Qh : G q (¥ Qk ) - G q [£% 
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There exists a unit u in End(j7/F 9 ) ®% Z^ such that the Rosati dual II* of IIi is 

= ull q . 

Therefore G q = G* and the restriction of the Weil pairing to Gi [£ k ] x G q [£ k ] is non-degenerate. 

If Qk > 4g 2 , we use lemma |9] to produce a sequence 71, 7/ of elements in J{¥Q h ) 
that generate (with high probability) a subgroup of index at most 1 = max(48g, 24d, 720). If 
Q/c < 4g 2 we use lemma[6]to produce a sequence 71, . . . , 7/ of elements in J{¥ Qk ) that generate 
it. 

Let N be the largest divisor of #J7(FQ fc ) which is prime to £. 

We set a, = K^^U^N^)) and # = ^^(Il^iV^)). 

The group »4_ fe generated by the ctj has index at most t in Gi [£ k ]. The group Bk generated by 
the Pi has index at most t in G g [£ fc ]. 

Let I s be smallest power of £ that is bigger than t and assume k > 5. Then ^4 fc contains 
Gi[^ fc - 5 ]. 

We now explain how to compute the lattice of relations between given elements p\, . . . , pj in 
Gi[£ fc ]. We denote by 72. this lattice. Recall the restriction of the Weil pairing to Gi[£ k ] x G q [£ k ] 
is a non-degenerate pairing 

e £fc : Gi[£ fc ] x GJ£ fc ] -> /i^. 

We fix an isomorphism between the group fi t k(¥ q ) = fi £ k(¥Q k ) of £ k -th roots of unity and 
Jjj£ k 7L. Having chosen the preimage of 1 mod £ k , computing this isomorphism is a problem 
called discrete logarithm. We can compute this discrete logarithm by exhaustive search at the 
expense of 0(£ k ) operations in Fg fe . There exist more efficient algorithms, but we don't need 
them for our complexity estimates. 

We regard the matrix (e#.(/3j, pj)) as a matrix with / rows, J columns and coefficients in 
ljj£ k TL. This matrix defines a morphism from Z J to (Z/£ fc Z) 7 whose kernel is a lattice TV that 
contains 1Z. The index of 1Z in 1Z' is at most t. Indeed IZ'/IZ is isomorphic to the orthogonal 
complement of Bk in < p 1 , . . . , pj >C Gi[£ fe ]. So it has order < t. We then compute a basis 
of 1Z'. This boils down to computing the kernel of an I x ( J + 7) integer matrix with entries 
bounded by £ k . This can be done by putting this matrix in Hermite normal form (see [6] 2.4.3]). 
The complexity is polynomial in /, J and k\og£. See IfTTl , (61 2.4.3] and [T3TT1 . 

Once given a basis of 1Z', the sublattice 1Z can be computed using lemma [171 at the expense 
of < 3 Jl operations. 

We apply this method to the generators {ai)i of Ak- Once given the lattice 1Z of relations 
between the it is a matter of linear algebra to find a basis (6 1( . . . , b w ) for Ak [£ h ^ s ] = Gi [£ k ~ 5 ] . 
The latter group is a rank w free module over Z,/£ k ~ s Z and is acted on by the g-Frobenius F q . 
For every bj we can compute the lattice of relations between F q (bj), b\, b 2 , . . . , b w and deduce the 
matrix of F q with respect to the basis (61, . . . , b w ). From this matrix we deduce a nice generating 
set for the kernel of F q - 1 in G x [£ k ~ 5 ] . This kernel is J[£ k - 5 ] (¥ q ). We deduce the following. 

Theorem 1 There is a probabilistic Monte-Carlo algorithm that on input 
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1. a degree d and geometric genus g plane projective absolutely irreducible reduced curve C 
over F g , 

2. the smooth model X of C, 

3. a degree 1 divisor O = + — 0~ where + and 0~ are effective, F q -rational and have 
degree bounded by a constant times g, 

4. a prime £ different from the characteristic p ofF q and a power n = £ k of £, 

5. the zeta function of X ; 

outputs a set g±, . . ., gw of divisor classes in the Picard group of X /F q , such that the £ k torsion 
Pic(X/¥ q ) [£ k ] is the direct product of the < gi >, and the orders of the giform a non-decreasing 
sequence. Every class gi is given by a divisor Gi — gO in the class, where Gi is a degree g 
effective F q -divisor on X. 

The algorithm runs in probabilistic polynomial time in d, g, logg and £ k . It outputs the 
correct answer with probability > |. Otherwise, it may return either nothing or a strict subgroup 
of Pic(X/F q )[£ k }. 

If one is given a degree zero F q -divisor D = D + — D~ of order dividing £ k , one can compute 
the coordinates of the class of D in the basis (gi)i<i<w i n polynomial time in d, log q, £ k and the 
degree of D + . These coordinates are integers Xi such that Yli<i<w x i9i = 

9 An example: modular curves 

In this section we consider a family of modular curves for which we can easily provide and 
study a plane model. Let £ > 5 be a prime. We set di = ^-f^ and me — We denote by 
Xi = X(2)i(£) the moduli of elliptic curves with full 2-torsion plus one non-trivial ^-torsion 
point. We first describe a homogeneous singular plane model Ct for this curve. We enumerate 
the geometric points on X e above every singularity of C e and compute the conductor <£ t using the 
Tate elliptic curve. 

Let A be an indeterminate and form the Legendre elliptic curve with equation y 2 = x(x — 
l)(x — A). Call Tg(\,x) the ^-division polynomial of this curve. It is a polynomial in Q[A][x] 
with degree 2d e = in x. 

As a polynomial in x we have 

T e (\,x)= ^ a 2d ,-fc(A)a; fc 

0<k<2d e 

where a (A) has degree in A so that we normalise by setting a (A) = £. 

Let be a splitting field of %(\, x) over Q(A). A suitable twist of the Legendre curve has a 
point of order £ defined over T (and the full two torsion also). This proves that T contains the 
function field Q(X e ). Comparison of the degrees of T/Q(X) and Q(A^)/Q(A) shows that the 
two fields T and Q(X e ) are equal and the polynomial % is irreducible in Q(A) [x]. 
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We can compute the 2de roots of %{\ x) in the field Q{{A 1 }} of Puiseux series in A 1 . We 

set 

j = J(A) = = 2 8 A 2 (1 " A- 1 + 3A- 2 + 3A- 4 + • • • ) 

so that j' 1 = 2~ 8 (A- 2 + A~ 3 - 2X' A - 5A~ 5 + •••)• 
We introduce Tate's g-parameter, defined implicitly by 

j = - + 744 + 196884g + ■■■ 
Q 

so that 



q = r 1 + 7Uj- 2 + 750420j" 3 + • • • 

\ —2 ^" \ — 3 \ — 4 \ — 5 

= 256 A + 256 ' + 8192 A + 4096 A + "' 
We set x = x' + and y' — y and find the reduced Weierstrass equation for the Legendre 



curve 

2 _ 3 _ A^-A + l _ (A-2)(A + 1)(2A-1) 

y -x 3 27 

We want to compare the latter curve and the Tate curve with equation 

y"2 = x „3 _ E A {q) „ E 6 (q) 

y ' 48 864 

where E A (q) = 1 + 240g H and E 6 (q) = 1 - 504g H . 

The quotient (frz^j^p is a quadratic differential on the curve X(2) with divisor —2(0) —2(1) 
in the A coordinate. Examination of the leading terms of its expansion shows that 

,. .'dq\ 2 4(A 2 -A + l)(dA) 2 

Ea ' - 



A 2 (l-A) 2 
and similarly 

'dqV 4(A-2)(A + l)(2A-l)(dA) s 



q) A 3 (l-A) 3 
We deduce the isomorphism x' = ^x" and y' = ^y 3 y" with 

^ 2 = 2 ^- 1 '(^) = - 4A+2 + ^ 1 + ^- 2 + -- 

Set Q = exp ( ^f- ) . For a and b integers such that either 6 = and 1 < a < ^ or 1 < b < 



e-i 



b . 



and < a < i — 1 we set w = Qqi in the expansion 
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neZ v y * n>l H 

and find 

< b = ^ + 0V+O(g^) 

if6 ^ 0, and < j0 = ^ + IT ^ F + 0(g). 
So 

9 „ 1+A , >„,->- 8i ^1 26 26+1 

x s ,t = 7 V + — ^— = -40 a 2— A 1 -" + 0(A^— ) 

if 6 ^ and x aj0 = (X^A + 0(1). 

The x a> b are the roots of Tg(\, x) in the field Q{{A -1 }} of Puiseux series. 

We deduce that for 1 < k < ^ the polynomial a k (\) has degree at most k. Further 

ae-i (A) = 2^~ 1 (— A) V 1 +0(AV). For A; > ^ the polynomial a fe (A) has degree < k and < dg. 

The coefficients in all the series expansions above are in Z[-^ : Q, 2j\. The coefficients of 
%(\, x) are in Z[^]. In fact 7^(A, x) is in Z[A, x] but this is not needed here. 

Since 7^ e Q[A, x] is absolutely irreducible, the equation Tg(\, x) = defines a plane abso- 
lutely irreducible affine curve Cg. Let Cg C P 2 be the projective plane curve made of the zeroes 
of the homogeneous polynomial T e (y, y)Y 2de . 

For every geometric point P on Xg such that A(P) ^ {0, 1, oo}, the function A — A(P) is 
a uniformizing parameter at P. Further x(P) is finite and P is the only geometric point on Xg 
above the point (A(P),x(P)) of Cg. So the only possible singularities of Cg lie on one of the 
three lines with equations A = 0, Y = and A — Y = 0. 

The points at infinity are given by the degree 2dg form 

2^ 1 (-l)^ i A^ i X^ + --- + £X^ = X^ Y[ {-AA-{Q + Q a -2)X). 

0<a<^ 

We call Sqo = [1,0, 0] the unique singular point at infinity and for every 1 < b < ^ we call 
(Too^ the point above Soo on Xg associated with the orbit 

{^0,6? %l,b, " - " j Xe-l,b} 

for the local monodromy group. We call /j ro ^ the point on Xg corresponding to the expansion 
x a fi. The ramification index of the covering map A : Xg — > X{2) is i at >b and 1 at /ioo.a- Since 
£ — 2b and £ are coprime, there exist two integers a b and such that a b (£ — 2b) — (3^ = 1 and 
I < ab < I — I and 1 — 1. The monomial x ab A~ /3fc G Q(A^) is a local parameter 

at (Too^. Of course, \~e is also a local parameter at this point, and it is much more convenient, 
although it is not in Q(Xg). 
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The morphism : Xi — > Xl(£) corresponding to forgetting the 2-torsion structure is Galois 
with group S3 generated by the two transpositions r( 0)OO ) and 7?o,i) defined in homogeneous 
coordinates by 



T {0>oo y.[A,X,Y)^[Y,X,A] 

and 

r (0)1) :[A,x,r]^[y-A,r-x,y]. 

We observe that these act on Xi, P 2 and Ci in a way compatible with the maps Xi — >■ 
and Ci C P 2 . We set S = r (0 ,oo)(£oo) = [0,0,1] and E : = r (0 ,i)(Eo) = [1,1,1]. We set 
<?o,b = ^(o,oo)(o"oo,b) and er lj6 = 7-( ,i)((7o,&), //o,o = r (o,oc)(jUoo,a) and /ii )Cl = T( ,i)(/io,a)- 

The genus of Xi is = ^~ 3 - > = (m^ — l) 2 . The arithmetic genus of C e is g a = (m 2 +m { - 
l)(2m 2 + 2m^ — 1). We now compute the conductor of Ci. Locally at Y,^ the curve Ci consists 
of mi branches (one for each point (7oo,&) that are cusps with equations 

The conductor of this latter cusp is times {£ — 1) (2b — 1) which is the next integer to the 
last gap of the additive semigroup generated by I and 2b. The conductor of the full singularity 
Sqo is now given by Gorenstein's formula lfl~5l Theorem 2] and is 

{b(*m\ + 4m £ - 1) - 2m £ - (2m e + l)b 2 } ■ a^. 

l<b<m£ 

The full conductor Ci is the sum of this plus the two corresponding terms to the isomorphic 
singularities S and Si. The degree deg(Q) of Ci is 2mn[2m\ + 4m 2 — 2m e — 1). So we set 
S = mi(2m\ + 4m 2 — 2m e — 1) and we check that g a = g e + 5. 

Now let p ^ {2, 3, £} be a prime. Let C p be the (complete, algebraically closed) field of p- 
adics and F p its residue field. We embed Q in C p and also in C. In particular Q = exp( 2 y E ) and 
2? are well defined as p-adic numbers. We observe that in the calculations above, all coefficients 
belong to Z[i, Q, 2?]. More precisely, the curves Ci and X e are defined over Z[^]. We write 
Ci mod p = Ci/Fp = Ci (8) Z rj_i F p for the reduction of Ci modulo p, and define similarly 
Xi mod p. We write similarly mod p and iXoo, a m od p. 

We deduce the following. 

Lemma 18 (Computing Q and resolving its singularities) There exists a deterministic algo- 
rithm that given a prime £ > 5 and a prime p $ {2, 3, £} and a finite field ¥ q with characteristic 
p such that Q mod p and 2e mod p belong to ¥ q , computes the equation %(X, x) modulo p and 
the expansions of all x a ^ as series in \~r with coefficients in ¥ q , in time polynomial in £, \ogq 
and the required \ ~-adic accuracy. 
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10 Another family of modular curves 



In this section we consider another family of modular curves for which we can easily provide 
and study a plane model. This family will be useful in the calculation of modular representations 
as sketched in the next section. Let t > 5 be a prime. This time we set X e = Xx(B£) the 
moduli of elliptic curves with one point of order 5£. The genus of X e is g e = £ 2 — At + 4. We 
first describe a homogeneous singular plane model Ci for this curve. We then enumerate the 
geometric points on Xe above every singularity of Ci and provide series expansions for affine 
coordinates at every such branch. Finally, for p £ {2, 3, 5, £} a prime integer, we recall how to 
compute the zeta function of the function field F p (Xt). All this will be useful in section ITTI where 
we apply theorem \T\ to the curve X e . 

Let 6 be an indeterminate and form the elliptic curve Eb in Tate normal form with equation 
y 2 +{l—b)xy—by = x 3 —bx 2 . The point P = (0, 0) has order 5 and its multiples are 2P = (b,b 2 ), 
3P = (6, 0), AP = (0, b). The multiplication by £ isogeny induces a degree £ 2 rational function 
on x-coordinates: x \— ► where Af(x) is a monic degree I 2 polynomial in Q(b) [x] . Recursion 
formulae for division polynomial (see [12J section 3.6) provide a quick algorithm for computing 
this polynomial, and also show that the coefficients actually lie in Z[6]. If £ is congruent to ±1 
modulo 5 then £P = ±P and x divides J\f(x). Otherwise J\f(x) is divisible by x — b. 

Call %(b, x) the quotient of J\f(x) by x or x — b, accordingly. This is a monic polynomial in 
Z[6] [x] with degree £ 2 — 1 in x. As a polynomial in x we have 

T e (b,x)= 2j a l 2_ 1 _ k (b)x k 

0<fc<£ 2 -l 

where a (A) = 1. We call d be the total degree of %. 

As in the previous section, we check that % is irreducible in Q(b) [x] and Q(Xi) is the splitting 
field of % over Q(b) . Let Ce C P 2 be the projective curve made of the zeroes of the homogeneous 
polynomial %(§,§)Y d . 

Wc set 

. _ _ (6 4 - 12b 3 + Ub 2 + 12b + l) 3 
3 - J ^>- 65(6 2 -116-l) ' 

Let G C be the positive square root of 5 and let ( 5 = exp( 2 | ZE ). Let s = ll+ ^> and s 
be the two roots of 6 2 — 116 — 1. The forgetful map Xi(5£) — > Xi(5) is unramified except at 
6 G {0, oo, s, s}. For every point P on X t such that b(P) G" {0, s, s, oo}, the function 6 — b(P) is 
a uniformizing parameter at P. 

Let U be the affine open set with equation YB(B 2 - 11BY + Y 2 ) ^ 0. Every point on C e nU 
is smooth and all points on Xt above points in Ci — U are cusps in the modular sense (i.e. the 
modular invariant at these points is infinite). 

In order to desingularize Ci at a given cusp, we shall construct an isomorphism between the 
Tate g-curve and the completion of Eb at this cusp. We call A^, A , A s , A s the points on Xi(5) 
corresponding to the values oo, 0, s and s of 6. We first study the situation locally at A^. A local 
parameter is 6 _1 and = 6 -5 + 256~ 6 + ■ • • . 

We introduce Tate's g-parameter, defined implicitly by 
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j = - + 744 + 196884g + 



so 



q = j' 1 + 744jT 2 + 750420jT 3 + ■ • • 
= 6~ 5 + 256~ 6 + • • • 

and we fix an embedding of the local field at inside the field of Puiseux series C{{g}} by 
setting 6 = qs — 5gs + • ■ ■ . 

We set x' = 36x + 3(6 2 - 66 + 1) and y' = 108(2y + (1 - b)x - b) and find the reduced 
Weierstrass equation 

y ' 2 = x ' 3 - 27(6 4 - 126 3 + 146 2 + 126 + l)x + 54(6 2 + 1)(6 4 - 186 3 + 746 2 + 186 + 1). 
We want to compare the latter curve and the Tate curve with equation 

y"2 = x> >3 _ E ^ X " , 

y 48 864 

where E A (q) = 1 + 240g + • • • and E 6 (q) = 1 - 504g + • • • . See flU Theorem 10.1.6]. 
From the classical (see ||2~8l Proposition 7.1]) identities 



qdj x 1 



j(j - 1728)£ 4 



we deduce 

'qdb\ 2 6 2 (6 2 - 116 -1) 2 E 4 



dq J 25(6 4 - 126 3 + 146 2 + 126 + V 



and 

'qdb\ 3 6 3 (6 2 - 116 - 1) 3 £ 6 



dq J 125(6 2 + 1)(6 4 - 186 3 + 746 2 + 186 + 1) ' 
We deduce the isomorphism x' = j 2 x" and y' = j 3 y" with 

2 _ 366(6 2 - 116 - l)dq 
^ hqdb 
The point P has (x, y) coordinates equal to (0, 0). So 

X '\P) = 3(6 2 - 66 + l)/ 7 2 = ^ + 6" 2 + 116- 3 + ... = L + q $ + 0(ql). 
Since on the Tate curve we have 
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x "( w g) = 1 + V W( T 2 V^— (2) 



neZ v ^ 7 n>l ^ 



we deduce that u>(P) = g ± smod < g >. We may take either sign in the exponent because 
we may choose any of the two isomorphisms corresponding to either possible values for 7. 
We decide that w(P) = gsmod < q >. Set Q = exp( 2 j L ). For a and (3 integers such that 
< a, (3 < £ — 1 we set w = CeQ'Q^ 1 m me expansion © and find 



</j = ^ + C??M(i + 0(g«)) 



if < p < ^1 and 



ifl±l<^<£_l. 
Since 



< /3 = ^ + C a ^^(l + 0(g^)) 



x ai/3 = ( 7 2 ^-3(6 2 -66 + l))/36 
and 7 2 = 36b 2 - 2166 - 396 + Of^ 1 ) = 36g^ + 144g^ + 144 + • • • we deduce that 
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ifO < /? < and 



^,/3 + l = 0V + «"Ml + O(« 51 )) 



x Ql/3 + 1 = Q a q^~h-i (1 + O(g*0) 



if < p < £ - 1. 



2 
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In particular, the degree of %{b } x) in b is < 2(1 — 1). 
For < a < £ and < /3 < £ we set a = 5a mod £ and /? = 5/3 + 2 mod £. If (3 is non-zero, 
the local monodromy group permutes cyclically the £ roots x a ^ for < a < £. We call p the 
corresponding branch on Xg. On the other hand, if /3 — ^ mod £ then /5 = mod £ and every 
£ a =1. mod * is fixed by the local monodromy group. We observe that x ^2 mod e is either b or 

'5 '5 

and is not a root of 7^(6, x). For a a non-zero residue modulo £, we denote by /ioo^ the branch 
on X t corresponding to x a ^ mod £ . 

So we have £—1 unramified points on X e above A ro and £— 1 ramified points with ramification 
index £. 

The coefficients in all the series expansions above are in Q] . The coefficients of %{b, x) 
are in Z. From the discussion above we deduce the following. 

Lemma 19 (Computing Ci and resolving its singularities, I) There exists a deterministic al- 
gorithm that given a prime £ > 7 and a prime p ^ {2, 3, 5, £} and a finite field ¥ q with char- 
acteristic p such that Q mod p belongs to W q , computes the equation %(b, x) modulo p and the 
expansions of all x a ^ as series in b~~e with coefficients in ¥ q , in time polynomial in £, \ogq and 
the required b~ -adic accuracy. 
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In appendix lAl we give a few lines of GP-PARI code (see [QQ|) that compute these expansions. 

We now study the singular points above A . A local parameter at A is b and j^ 1 = —b 5 + 
256 6 + . . . so q = — 6 5 + 256 6 + . . . and we fix an embedding of the local field at A inside C{{g}} 
by setting b = —q* + 5gs + . . . . From j 2 = 36 — 216<p + . . . we deduce that the coordinate 
x"(P) of the 5-torsion point P is x"(P) = + qs + 0(<p ) so the parameter w at P can be taken 
to be w(P) = g^mod < q > this time. For a and (3 integers such that < a, (3 < £ — 1 we set 
w = Qq~iq^ in the expansion and we finish as above. 

Now, a local parameter at A s is b — s and = (| — ^^-)(b — s) + 0((b — s) 2 ) so 
q = {\ — "4kt)(& — s ) + ^((^ — s ) 2 ) an( ^ we ^ x an embedding of the local field at A s inside 
C{{g}} by setting b - s = 125+ 2 55v/5 g + 0(g 2 ). We deduce that the coordinate x"{P) of the 
5-torsion point P is x"(P) = ^ + + where w = exp(^) = Q so the parameter w 

at P can be taken to be w(P) = Cfmod < q > this time. 

Altogether we have proved the following. 

Lemma 20 (Computing Ce and resolving its singularities, II) There exists a deterministic al- 
gorithm that given a prime £ > 7 and a prime p ^ {2, 3, 5, £} and a finite field ¥ q with charac- 
teristic p such that Q mod p and mod p belong to ¥ q , computes the equation %(b, x) modulo 
p and expansions ( with coefficients in ¥ q ) at every singular branch of Ce in time polynomial in £, 
log q and the required number of significant terms in the expansions. 

In order to apply theorem Q] to the curve Xi, we shall also need the following result due to 
Manin, Shokurov, Merel and Cremona ll23l 1231 l9l [T3l 

Lemma 21 (Manin, Shokurov, Merel, Cremona) For £ a prime andp ^ {5, £} another prime, 
the zeta function of Xi (mod p) can be computed in deterministic polynomial time in £ andp. 

We first compute the action of the Hecke operator T p on the space of Manin symbols for 
the congruence group Yi{h£) associated with X%. Then, from the Eichler-Shimura identity T p = 
F p + p < p > / F p we deduce the characteristic polynomial of the Frobenius F p . □ 

In appendix |B] we give a few lines of Magma code (see [2 J) that compute the zeta function of 

X x {U)/¥ p . 

11 Computing the Ramanujan subspace over ¥ p 

This section explains the connection between the methods given here and Edixhoven's program 
for computing coefficients of modular forms. Recall the definition of the Ramanujan arithmetic 
t function, related to the sum expansion of the discriminant form: 

A(q)=ql[(l-q k r = J2r(k)q k . 

k>l k>l 

We call T C End( Ji(£)/Q) the algebra of endomorphisms of J±(£) generated by the Hecke 
operators T n for all integers n > 2. Following Edixhoven [11, Definition 10.9] we state the 
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Definition 3 (The Ramanujan ideal) Assume £ > 13 is a prime. We denote by m the maximal 
ideal in T generated by £ and the T n — r(n). The subspace J\ (£) [m] of the t-torsion of J\ (£) cut 
out by all T n — r(n) is called the Ramanujan subspace at £ and denoted Vf. 

This Ve is a 2-dimensional vector space over and for p £ the characteristic polynomial 
of the Frobenius endomorphism F p on it is X 2 — r(p)X + p 11 mod £. 

In this section, we address the problem of computing m-torsion divisors on modular curves 
over some extension field ¥ q of ¥ p for p ^ £. The definition field ¥ q for such divisors can be 
predicted from the characteristic polynomial of F p on Vi. So the strategy is to pick random ¥ q - 
points in the ^-torsion of the jacobian J\ (£) and to project them onto Vg using Hecke operators. 

In section [10] we have defined the modular curve Xg = Xi(5£) and the degree 24 covering 
<f> : Xg — > X\{£) of Xi(£). We prefer Xg to Xi(£) because we are able to construct a natural and 
convenient plane model for it. The covering map <f> : Xi — > X t (£) corresponds to forgetting the 
5-torsion structure. It induces two morphisms fa : J\{£) — > Jg and fa : Jg — > Ji(£) such that 
the composite map fa o 0* is multiplication by 24 in Ji(£). We write 0* o 0* = [24]. Thus the 
curve Xi provides a convenient computational model for the group of F g -points of the jacobian 
ofX x {£). 

We denote by At C Jt the image of v = <jf o <p^. This is a subvariety of Ji isogenous to 
J\{£). The restriction of v to At is multiplication by 24. The maps </>* and 0* induce Galois 
equivariant bijections between the iV-torsion subgroups J\{£) [N] and ^[iV] for every integer N 
which is prime to 6. 

We call Wg C Ag C J7« the image of the Ramanujan subspace by cff . We choose an integer 
k such that 24 A; is congruent to 1 modulo £, and set T n = [k] o <p* o T n o fa, for every n. We 
notice that T n o <fi* = cjf o T n on J x (£)[£]. This way, the map 0* : J x (£) — > ^ induces a Galois 
equivariant bijection of Hecke modules between Ji (£)[/] and and Wg = 4>*(Vi) is the 

subspace in Ag[£] cut out by all T n — r(n). So Wt will also be called the Ramanujan subspace 
at i whenever there is no risk of confusion. We notice that (j)*, fa, T n , and T n can be seen as 
correspondences as well as morphisms between jacobians, and we state the following. 

Lemma 22 (Computing the Hecke action) Let £ and p be primes such thatp £ {2, 3, 5, £}. Let 

n > 2 be an integer. Let q be a power ofp and let D be an effective ¥ q -divisor of degree deg(D) 
on Xg (mod p). The divisors fa o fa(D) and fa o T n o fa(D) can be computed in polynomial 
time in £, deg(D), n and log q. 

If n is prime to £, we define the Hecke operator T(n, n) as an element in the ring of corre- 
spondences on Xi(£) tensored by Q. See ED VII, §2 ]. From (2TJ VII, §2, Theorem 2.1] we 
have Tp, = (Ti) 1 and T n i = T n %-iT n — nT n i-iT[n 1 n) if n is prime and n/f. And of course 
T ni T n2 = T nin2 if ri\ and n 2 are coprime. So it suffices to explain how to compute Ti and also 
T n and T(n, n) for n prime and 

Let x = (E,u) be a point on Y\{£) C X\{£) representing an elliptic curve E with one 
^-torsion point u. Let n be an integer. The Hecke operator T n maps x onto the sum of all 
(Ej, I(u)), where I : E —> Ej runs over the set of all isogenics of degree n from E such that 
I(u) still has order i. If n is prime to £, the Hecke operator T(n, n) maps x onto \ times 
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(E, nu). So we can compute the action of these Hecke correspondences on points x = (E, u) 
using Velu's formulae ll32l . 

There remains to treat the case of cusps. We call as for 1 < (3 < =^ and p a for 1 < a < ^ 
the cusps on X\(jt) images by 4> of the z and poo,a- To every cusp one can associate a set of 
Tate curves with f-torsion point (one Tate curve for every branch at this cusp). 

For example the Tate curves at are the Tate curves C* /q with I- torsion point w = Qq~f 
where the star runs over the set of all residues modulo L There are £ branches at each such cusp. 

Similarly, the Tate curves at p a are the Tate curves C* /q with f-torsion point w = Q. One 
single branch here: no ramification. 

For n prime and n^fwe have 

and 

where not in p na (resp. n/3 in a n jf) should be understood as a class in (Z/£Z)*/{1, —1}. 
Similarly 

and 

Te(/2 a ) = £/j a . 

And of course, if n is prime to £, then T(n, n)(a^) = -^crz and T(n, n)(/i<5,) = ^^na- 
All together, one can compute the effect of T n on cusps for all n. For the sake of complete- 
ness, we also give the action of the diamond operator <n> on cusps. If n is prime to t then 

<n> (cr§) = a n p and <n> (fi&) = Una- 
El 

We can now state the following. 

Theorem 2 There is a probabilistic (Las Vegas) algorithm that on input a prime t > 13 and 
a prime p > 7 such that £ ^ p, computes the Ramanujan subspace We = (fi*(Vi) inside the 
t-torsion of the jacobian ofXi/W p . The answer is given as a list of £ 2 degree gi effective divisors 
on Xi, the first one being the origin u. The algorithm runs in probabilistic polynomial time in p 
and £. 

Lemma [201 gives us a plane model for Xg (mod p) and a resolution of its singularities. From 
lemma I2TI we obtain the zeta function of X^ (mod p). The characteristic polynomial of F p on 
the Ramanujan space Vi is X 2 — r(p)X + p 11 mod £. So we compute r(p) (mod €) using the 
expansion of the discriminant form. We deduce some small enough field of decomposition ¥ q for 
Vi (mod p). We then apply theorem [Hand obtain a basis for the ^-torsion in the Picard group of 
Xg/W q . The same theorem allows us to compute the matrix of the endomorphism v = cjf o in 
this basis. We deduce a basis for the image ^4[£](F 9 ) of v. Using theorem \T\ again, we now write 
down the matrices of the Hecke operators T n in this basis for all n < £ 2 . It is then a matter of 



30 



linear algebra to compute a basis for the intersection of the kernels of all T n — r{n) in A[£] (F g ). 
The algorithm is Las Vegas rather than Monte-Carlo because we can check the result, the group 
We having known cardinality £ 2 . □ 



Remark 5 In the above theorem, one may impose an origin lo rather than letting the algorithm 
choose it. For example, following work by Edixhoven in £77] Section 12], one may choose as 
origin a well designed linear combination of the cusps. Such an adapted choice of the origin may 
ensure that the £ 2 — l divisors representing the non-zero classes in Wi are unique in characteristic 
zero and thus remain unique modulo pfor all but finitely many primes p. 

12 The semisimple non-scalar case 

In this section we present a simplified algorithm for computing the Ramanujan subspace Vg mod- 
ulo p, that applies when the Frobenius action on it is semisimple and non-scalar or equivalently 
when r(p) 2 — Ap 11 is not divisible by £. The main idea is to associate a divisible group with Vg. 

For every integer n > 2 we call A n (X) e Z[X) the characteristic polynomial of T n acting on 
weight 2 modular forms for T^t). We factor 

A n (X) = B n (X)(X-r(n)) e - 

in ¥g[X] with B n (X) monic and B n (r(n)) ^ G F f . For every integer k > 1 this polynomial 
factorization lifts modulo £ k as 

A n (X) = B n , k (X)C n , k (X) (mod £ k ). 

We call rife : Ji(£)[£ k ] — > Ji(£)[£ k ] the composite map of all B n ^(T n ) for all integers n such 
that 2 < n < £ 2 . We observe that Il fe+1 coincides with Il fc on Ji(£)[£ k ]. So we have defined a 
mapll : Ji(£)[£°°] -»• Ji(£)[£°°}. 

We have the following. 

Lemma 23 (The Ramanujan modules) For k > 1 an integer, we denote by G k the subgroup of 
Ji(£)[£ k ] consisting of elements killed by some power ofm. Let G be the union of all G k - The 
group G k is the image Uk(Ji(£)[£ k ]) of the £ k -torsion by II fc . It is killed by m 2kg ^ Xl ^ and the 
restriction of Hk to Gk is a bijection. Further G k+1 [£ k ] = G k = £G k+1 . The {Z/£ k Z) -module 
Gk is free. We call it the Ramanujan module. 

We show that for every integer n > 2, the restriction of B n ^(T n ) to Gk is a bijection. It 
suffices to show injectivity. Assume B nt k(T n ) restricted to Gk is not injective. There is a non- 
zero ^-torsion element P in its kernel. This P is killed by (T n — r(n)) m (mod £) for some 
integer m. It is also killed by B n {T n ) (mod £). Since these two polynomials are coprime, P is 
zero, contradiction. 

So n fe is an automorphism of G k . In particular G k C n k (Ji(£)[£ k ]) . Wesetl fe = IL k (J 1 (£)[£ k ]) 
and we prove the converse inclusion I k C Gk- For every integer n between 2 and £ 2 , the restric- 
tion of T n to Ii is killed by (X — r(n)) e ™. Since the Hecke algebra is generated by these T n and 
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is commutative, its image in End(Ii) is triangulisable Q and consists of matrices with a single 
eigenvalue. We deduce that for every integer n the restriction of T n to Ii has a single eigenvalue 
(namely r(n) (mod £)). Because the dimension of Ii as a F^-vector space is < 2g(Xi(£)) we 
deduce that Ii is killed by m 2s(XlW) . So Ii = d is killed by m 29iXl{e)) . 

For every integer n between 2 and £ 2 , the restriction of T n to 1^ [£} is killed by C n , k (X) which 
is congruent to (X - r{n)f n modulo £. So l k [£) is killed by (T n -r(n)) e " and by m 2s(Xl(£)) . So 
any morphism in m ^ g (x 1 (e)) ms = So Ifc is ^11^ by m 2k 9 (x 1 (e)) and i fe = G fe . 

It is clear that £Gk+i C G&. Conversely if P = il fc (Q) and Q is £ fe -torsion then let R such 
that £R = Q and 5 = n fe+ i(.R). Then S is in I fe+1 = G k+1 and £5 = Tl k +i(Q) = Hk(Q) = P. 
So £G k+ \ = G k . From G k+ i[£ k ] = £G k+ i we deduce that G^+i is a free (Z/£ fc+1 Z)-module. □ 

We now study the Galois action on this divisible group. Let p £ be a prime. We regard 
Ji(£) as a variety over the finite field F p . The Ramanujan module G = Ji(£)[m°°] is then an £- 
divisible group inside Ji(£)[£°°) in the sense of definition [T3l According to the Eichler-Shimura 
identity F 2 — T p F p + p < p >= 0. The diamond operator <p>E T has a unique eigenvalue 
on Gi, namely p 10 (mod £). Since F p commutes with T, the algebra generated by T and F p is 
triangulisable 1 in GL(Gi ¥ e ). So any eigenvalue of F p on Gi is killed by X 2 — r(p)X + p u 
(mod £). Let r] be an integer that kills the roots of the polynomial X 2 — r(p)X + p 11 (mod £) 
in F^. For example one may take r] = £ 2 — 1. As an endomorphism of Gi one has F'^j = Id + n 
where n is nilpotent. Since the dimension of Gi is < 2g(Xi(£)) < £ 2 one has n £2 = and 
F^ 2 = Id. So Gi splits completely over F f2 (f 2_ 1) . As a consequence, G k splits completely over 
the extension of degree [£ 2 — l)£ k+1 of F p . 

Lemma 24 (Galois action on the Ramanujan module) If p ^ £ is a prime, then the Ramanu- 
jan module G = Ji(£)[m°°] is a divisible group inside Ji(£)[£°°]{¥ p ). Let r\ be an integer that 
kills the roots of X 2 - r(p)X + p 11 in F|. For example r] = £ 2 - 1. The £ k -torsion G fc = G[£ k ] 
inside G splits completely over the extension of degree r]£ k+1 of¥ p . 

For computational convenience we may prefer Xi = X±(5£) to X\{£). If this is the case, we 
embed G inside the jacobian Jn of Xt using the map <p* . For the sake of simplicity we present 
the calculations below in the context of J\{£) although they take place inside Ji. 

The knowledge of a non-zero element in G k sometimes suffices to construct a basis of Ve(F p ) : 

Lemma 25 (The inert case) Assume X 2 — r(p)X + p 11 (mod £) is irreducible. Let k > 1 be 
an integer and q = p d a power of p. Given a non zero element in G k (¥ q ), one can compute a 
basis ofVe(¥ p ) in polynomial time in log q, £ and k. 

Indeed, let P G G k (¥ q ) be non-zero. We replace P by £P until we find a non-zero element 
in Gi(Fg). Given such a P we can test whether it belongs to Vi by computing (T„ — r(n))x for 
all 2 < n < £ 2 . If we only obtain zeroes this shows P is in Vt. Otherwise we replace P by 

'if K is a field and V a if -vector space, we write C(V) for the algebra of linear maps from V to itself. Let A be 
a subset of C(V). We say that A is triangulisable if there exists a basis B of V such that the matrix of every element 
in A with respect to B is upper triangular. 
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some non-zero (T n — r(n))P and test again. This process stops after 2g(Xi(£)) steps at most, 
and produces a non-zero element P in Vi(¥ q ). Since F p has no eigenvector in Ve(¥ p ), the couple 
(P,F P (P)) is a basis of V^(Fp). □ 

So assuming that r(p) 2 — 4p n is not a square modulo we have a simpler method to construct 
a basis for the Ramanujan module Vg modulo p: 

We set q = p^~^ A . We have G(F ? ) DG 2 = G 2 (F,). Set JV, = #Jx(£)(F 9 ) = M ? L g where 
M 9 is prime to £. This iV 9 can be computed using Manin symbols as in lemma [2T1 Let L q = £ w . 
The image of Ji(£)(¥ q ) by the morphism ip = U w o [M q \ contains G2(F g ) and is in fact equal to 
G(F,). We check #G(Fq) > #G 2 > £ A . So at least one of the elements in Ji(£)(¥ q ) given by 
lemma|9]has a non-zero image by ip for £ large enough. We apply lemma 1251 to this element and 
find a basis for the Ramanujan module at I. 

We now assume the polynomial X 2 — r(p)X + p 11 mod i has two distinct roots a mod i 
and b mod L So (F p - a) 2g{Xl{e)) (F p - b) 2g{Xl{e)) kills Gi. Since Gi = G k [£] we deduce that 
(F p - a) 2 ^(^W)(F p - &) WiW) Mis Gfc . 

This leads us to the following definition. 

Definition 4 (Split Ramanujan modules) Assume X 2 — r{p)X + p 11 mod I has two distinct 
roots a mod £ and b mod £ where a and b are integers. Let m a be the ideal in T[F P ] generated 
by £, all T n — r(n) and F p — a. Let V^ a = Ji(£)[m a ] C Vi be the eigenspace associated with a. 
For k > 1 an integer, we denote by G^a the subgroup of J\ {£) [£ k ] consisting of elements killed 
by some power ofm a . Let U k a the composition o/TI fc and (F p — b) 2kg ^ Xl ^\ We denote by G a 
the union of all Gfc ;a . 

We have the following. 

Lemma 26 (Properties of split Ramanujan modules) For every integer k > 1, the group G fc a 
is the image Hk, a {Ji{£)[£ h }) of the £ k -torsion by Hk, a - It is killed by xna 9{ ~ Xl ^ and the restriction 
ofHk,a to Gk, a is a bijection. So G a = J]_(£)[m£°] C G is a divisible group. Let rj be an integer 
that kills a in ( e.g. r] = £ — 1). Then Gfc, a splits over ¥ t k+i. 

The lemma below is the counterpart to lemma [251 in the split non-scalar case. 

Lemma 27 (The split non-scalar case) Assume X 2 — r{p)X + p n (mod £) has two distinct 
roots a (mod £) and b (mod £). Let k > 1 be an integer and q = p d a power of p. Given a non 
zero element in Gfc ja (F g ), one can compute a generator ofVe, a in polynomial time in log q, £ and 
k. 

So if t(p) 2 — Ap 11 is a non-zero square modulo £ we also have a simple method to construct 
a basis for the Ramanujan module Vi modulo p: 

We let a (mod £) and b (mod £) be the two roots of X 2 — r(p)X + p u (mod £). Take 
q = p (t-W 4 . We have G a (F g ) D G 3 , a = G 3 , a (F g ) we set N q = #Ji(^)(F,) = M q L q with M q 
prime to £. Let L q = £ w and ip = H w , a ° [M q ]. The image of Ji(£)(¥ q ) by vp contains G 3i<1 (F g ) 
and is in fact equal to G (F g ). We check #G a (F g ) > #G 3ja > £ 3 . So at least one of the elements 
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in Ji(£)(¥g) given by lemma[9]has a non-zero image by ip for £ large enough. We apply lemma 
l27lto this element and find a generator of Vg >a . A similar calculation produces a generator of V^. 
These two eigenvectors form a basis of Vi modulo p. 

All this is enough to compute the Ramanujan ideal when the Frobenius action on it is semisim- 
ple non-scalar i.e when £ is prime to r(p) 2 — Ap n . 

Remark 6 The main simplification in this variant is that we do not need to compute pairings. In 
practice, one would just take a random degree zero ¥ q -divisor on X\{£), multiply it by the prime 
to £ part of#Ji(£)(F q ) and apply a few B n ^(T n ) to it. This should usually suffice. 

Remark 1 If £ divides r(p) 2 — Ap 11 , the method described in this section is no longer sufficient 
but one can easily show that it provides at least one non-zero element in Ve modulo p. 

13 Computing the Ramanujan subspace over Q 

Once one has computed the Ramanujan space Vj? inside J\ {£) (or rather We inside J t the jacobian 
of Xg) modulo p for many small primes p, one can try to compute this space over the rationals. 
This calculation is described in detail in |fTTl Section 13]. In this section we sketch a variant of 
the method presented in [|TTL Section 13] . We then explain how this method should be modified to 
fit with the simplified method presented in section [[21 This leads us to a sort of generalization of 
the Chinese Remainder Theorem that is more adapted to the context of polynomials with integer 
coefficients. 

The complexity analysis of the methods presented in this section rely on results in Arakelov 
theory that have been proven by Bas Edixhoven and Robin de Jong, using results by Merkl in 0TJ 
or J. Jorgenson and J. Kramer in [19]. In fact, the complexity analysis of the variant described 
here requires a bit more than what has been already given in ifTTTl . The necessary bounds to the 
proof of this variant will appear in Peter Bruin's PhD thesis flU. 

We use the model over Zf^] for Xi = Xi(5£) that is described in section [TOl We start by 
fixing a Q-rational cusp O on Xg. This will be the origin of the Jacobi map. 

Let x be a point in J~i(Q). We denote by 9(x) the smallest integer k such that there exists 
an effective divisor D of degree k such that D — kO belongs to the class represented by x in 
the Picard group. We call 9{x) the stability of x. For all but finitely many primes p and for any 
place p of Q(x) above p, one can define 6 p (x) the stability of x modulo p: the smallest integer k 
such that there exists an effective divisor D of degree k such that D — kO belongs to the class 
represented by x mod p in the Picard group of Xg mod p. We define 9 p (x) to be the minimum of 
all 9 p (x) for all places p above p. We note that 9 p (x) < 9 p (x) < 9(x) whenever 9 p (x) is defined. 
Clearly 9 p (x) is defined and equal to 9(x) for all large enough primes. 

A consequence of the results by Bas Edixhoven and Robin de Jong, extended by Peter Bruin 
in his forthcoming PhD thesis, see IfTTl HTl. is that, for at least half the primes smaller than £°, the 
following holds: 9 p (x) is defined and equal to 9(x) for all x'mWi>. Notice that 9(x) = 9{y) if x 
and y are Galois conjugate. 
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Now let a: be a non-zero point in We- We can compute x modulo places p above p, for many 
small (e.g. polynomial in £) primes p such that 9 p (x) = 9(x). We only use primes such that 
9 p (x) = 9(x) for every x in We. 

There is a unique effective divisor D — Pi H h Pe{ x ) such that D — 9{x)0 is mapped onto 

x by the Jacobi map. This divisor remains unique modulo all the places p in question. Further, no 
Pi specializes to O modulo any such p. So we choose a function / on having no pole except 
at O. We define e.g. F(x) = /(Pi) + ■ • • + f(P e[x) ). 

We form the polynomial 

Pk(X)= J] (X-F{y)). 

yeW e With 0(y)=k 

This polynomial has coefficients in Q. For the above primes p we have 
P k (X)modp= H (X-F(y)). 

y£W e mod p with 9 p (y)=k 

We set P(X) = Y[ k>0 Pk(X). If the Galois action on W e - {0} is transitive then P(X) 
is likely to be irreducible and equal to the unique non-trivial P k (X). To be quite rigorous one 
should say some more about the choice of /. See [1 1 , Section 22]. 

If a reasonable / (e.g. the divisor of / is n(0 — O') where O' is another rational cusp and n 
is the order of O — O' in the jacobian) is chosen then Peter Bruin, improving on Edixhoven, de 
Jong, and Merkl, proves in [|4J that the logarithmic height of P(X) is bounded by a polynomial 
in L 

If we know We modulo p then we can compute P(X) modulo p and, provided we have 
taken enough such primes p, we deduce P(X) using Chinese remainder theorem and the bounds 
proved by Edixhoven, de Jong, Merkl and Bruin. 

However, if we use the simplified algorithm presented in section [121 we shall only obtain 
P(X) modulo p for those p such that t does not divide r(p) 2 — Ap u . If i divides r(p) 2 — 4p n 
then we may only obtain a non-trivial factor of P(X) mod p. This factor has degree £ — 1 in fact. 

This leads us to the following problem: 

Let P{X) be a degree d > 2 irreducibl^ polynomial with integer coefficients. 

Let H be an upper bound for the naive height of P(X): any coefficient of P lies in [— H, H}. 

Let / be a positive integer and for every integer i from 1 to / assume we are given an integer 
Ni > 2 and a degree a« monic polynomial A^X) in Z[X] where 1 < a, < d. Assume the iVj are 
pairwise coprime. 

Question: assuming P(X) mod iV, is a multiple of Ai(X) mod iVj for every i, can we re- 
cover P(X), and is P(X) the unique polynomial fulfilling all these conditions ? 
We start with the following. 

Lemma 28 (Resultant and intersections) Let P and Q be two non-constant polynomials with 
integer coefficients and trivial gca^ Let N > 2 be an integer. If P mod iV and Q mod iV are 

2 irreducible means here irreducible in the ring 1\X\. 
3 the gcd here is the gcd in the ring 1\X\. 
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both multiples of the same degree d > 1 monic polynomial A mod N, then the resultant of P 
and Q is divisible by N d . 

This easily follows from the resultant being given as a determinant. □ 
Let Vd be the additive group of integer coefficient polynomials with degree < d. Let pi : 

Vd — > 7i[X]/(Ai, NA be the reduction map modulo the ideal (A^NA. 
The product map 

p= n Pi-Vi^ n z[x]/(^,ivi) 

l<i<I l<i<I 

is surjective (Chinese remainder). Its kernel is therefore a lattice 1Z with index 6 = [] 1<K/ N?* 
inV d = Z d+1 . 

If Pi and P 2 are two coprime non-constant polynomials with degree < d and respective naive 
heights Ki and K 2 , then their resultant is bounded above by (2d)\KfK d . If further P 1 , P 2 E 1Z 
then, according to lemma |28l = rii<i</ divides the resultant of P x and P 2 . 

Lemma 29 (Heights and intersections) Let (A^)i<j</ be pairwise coprime integers. Let P be 
an irreducible polynomial with integer coefficients and degree d > 2 and naive height bounded by 
H. Let Q be a polynomial with integer coefficients and degree < d and naive height bounded by 
K. Assume that for every ifrom 1 to N the polynomials P mod iVj and Q mod iVj are multiples 
of the same monic polynomial Ai(X) mod iVj with degree where 1 < Oj < d. Assume further 
that 

Yl N? > {2d)\H d K d . 

\<i<I 

Then Q is a multiple of P. 

We observe that the L 2 norm of P is < Hy/d + 1. Also, if Q has L 2 norm < H\Jd+ 1 then 
its coefficients are < H\fd^l. Therefore if 

6 = \\ N? > (2d)\(d+l)^H 2d 

l<i<I 

the polynomial P is the shortest vector in the lattice 1Z for the L 2 norm. 

Applying the LLL algorithm to the lattice 1Z we find ([|6l Theorem 2.6.2]) a vector in it with 
L 2 norm < 2^Q~ . Taking this latter value for K we see that if 

l[N«* > {2d)\ d+l H d{ - d+l h lS ^ R 

i 

then the vector output by the LLL algorithm is a multiple of P. 

Lemma 30 (Interpolation and lattices) Let d > 2 be an integer. Let I be a positive integer and 
for every i from 1 to I let iVj > 2 be an integer and A^(X) a monic polynomial with integer 
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coefficients and degree ai where 1 < cij < d. We assume the coefficients in Ai(X) lie in the 
interval [0, N[. 

We assume there exists an irreducible polynomial P{X) with degree d and integer coefficients 
and naive height < H such that P{X) mod N{ is a multiple ofAi(X) mod Nifor all i. 
We assume the N are pairwise coprime and 

J] JVT > (2d)\ d+1 H d ^2^ m . 

l<i<I 

Then P{X) is the unique polynomial fulfilling all these conditions and it can be computed 
from the (iVj, Ai(X)) by a deterministic Turing machine in time polynomial in d, \ogH and I, 
and the log iVj. 

Note that the dependency on / and logiVj is harmless because one may remove some infor- 
mation if there is too much of it. We can always do with some I and log Ni that are polynomial 
in d and \ogH. 

This lemma shows that we can compute (lift) the Ramanujan module We using the simplified 
algorithm of section [121 even if the action of the Frobenius at p on We is not semisimple for any 
auxiliary prime p. 

14 Are there many semi simple pairs p) ? 

We have seen in section [[2] that the computation of Ve modulo p becomes simpler whenever the 
two primes p and £ satisfy the condition that £ is prime to r(p) 2 — 4p n . If this is the case, we say 
that the pair (£,p) is good (otherwise it is bad). 

In the situation of section [13] we are given a fixed prime £ and we look for primes p such that 
(£, p) is good. We need these primes p to be bounded by a polynomial in £. And there should be 
enough of them that we can find them by random search. 

This leads us to the following definition. 

Definition 5 (What bad and good means in this section) We say that a pair (£, p) of prime in- 
tegers is bad if £ divides r(p) 2 — 4p u . Otherwise it is good. Let c > 1 be a real. We say that a 
given prime £ is c-bad if (£, p) is bad for at least half the primes p < £ c . Otherwise it is c-good. 

In this section we give an elementary unconditional proof that there are enough good primes 
£. Let a, (3, 7 and 5 be four positive constants such that for every integer k > 2 the k-th prime pk 
satisfies afclog k < pk < fiklogk and for every real x > 2 the arithmetic function ir(x) giving 
the number of primes < x satisfies 7x(logx) _1 < tt(x) < 5s(loga;) _1 . 

Work by Tchebitchef allows 7 = | and 5 — |. Work by Rosser 11271 shows that a = 1 is 
fine. Rosser also proved that p k < fc(log k + log log k) for k > 6. So we can take (5 — 2.17 for 
example. I thank Guillaume Hanrot for pointing out these references to me. 

Let X > 3 be an integer. Let L be the X-th prime integer. Let X(c, X) be the set of pairs of 
primes (£, p) with £ < L and p < £ c . We set i\ = pi = 2, £ 2 = P2 = 3, . . . the successive prime 
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integers. Let P be the largest prime < L c and let Y be the integer such that P = py. One has 
L < (3X log X and P < /? c X c (log Xf and Y < P. 

Since r(p) 2 — Ap 11 has at most log 2 (4p n ) prime divisors, there are at most Y(2 + 11 log 2 P) 
bad pairs and this is < 51c(3 c X c (logX) c+1 provided X > (3. We want to bound from above the 
number of bad £ < L. The worst case is when the smallest i are bad. Assume all primes £ < £ x 
are bad. The number of bad pairs is then at least 



2 2^ *Vk)> 2 2^ cloga + clogfc + cloglogfc- 4c ^ * [i ° gk) 

l<k<x l <k<x 6 6 66 ±<k<x 



and this is at least 



4c(c + l)\ V"/ I ~ 8c(c+l 

provided x > 6 /a. Assume at least half of the primes i < L are bad. Then the number of bad 
pairs is at least gJg_(X/2) c+1 provided X > 12/ a. So 

7 a /v/r>\c+l / n^cyc/l nfT V\c+1 



8c(c+ 1 

SO 



(X/2) c+1 < 51c/? c X c (logX) ( 

) 

X 



c+l 



<816 (^-Jc^c+lh- 1 . 



We call a the right-hand side in the above inequality. We set Z = X c +! and we have j^|t? < 
[c + l)a^r . Since log Z < \/~Z we have Z < (c + l) 2 a^i and X < (c + 1) 2 ( C+1 V. 



Lemma 31 Lef a, (3, 7 anJ 5 be the four constants introduced before definition \5\ above. Let 
c > 1 be a real number. Assume X is an integer bigger than 816 2 c 4 (c + l) 2(c+2 ) C 7~ 2 
Then at least half among the X first primes are c-good. 



Lemma 32 (Effective bound for the density of good primes £) Let c > 1 be a real number. 
Assume X is an integer bigger than 2 23+5c c 4 (c + l) 2 ( c+2 ). Then at least half among the X first 
primes are c-good. 



A A GP-PARI code for Puiseux expansions at singular branches 
of modular curves 

Below are a few lines of GP-PARI code (see 0}) that compute the expansions of x a ^ as series in 
b~~i with coefficients in a finite field containing a primitive £-th root of unity. We use the methods 
and notation given in section [TOl before the statement of lemma [191 
Our code computes the q- series for the modular function j as 
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where 



= 1 + 240 £^ 

n>l q 

and 

n>l y 

The expansions for the x QjJ g are then obtained through standard operations on series like 
product, sum, reversion, composition. 

{ser(aa,bb,prec,ell,p,z,b,jc,E4,E6,D,jq,qc,gc,w,x) = 

ell=7; 

p=953; 

z=Mod (431, p) ; 
b=l/c; 

jc= (b"4-12*b"3+14*b"2+12*b+l) ~3/b~5/ (b~2-ll*b-l) ; 
E4=sum (n=l,prec, n"3*q"n/ ( 1 -q" n) ) *240+l+O (q"prec) ; 
E6=sum (n=l,prec, -n"5*q"n/ ( l-q"n) ) *504+l+O (q"prec) ; 
D= (E4"3-E6"2) /1728; 
jq=E4"3/D; 

qc=subst (ser re verse (1/ jq) , q, 1/ jc+O (c"prec) ) ; 
gc= -36*b* (b"2-ll*b-l) *deriv(qc) * (-c"2) /5/qc; 
w=z"aa*Q" (2+5*bb) ; 
xabs=Mod (l,p) * (1/12 
+sum (n=l , prec, 

w*Q"(5*ell*n)/ (l-w*Q~ (5*ell*n))"2+0(Q~ (5*ell*prec) ) ) 
+w/ (1-w) "2 
+sum (n=l , prec, 

Q" (5*ell*n) /w/ ( 1- (w) ~ (-1 ) *Q~ (5*ell*n) ) "2+0 (Q" (5*ell*prec) ) ) 
-2 *sum (n=l , prec, 

n*Q" (5*ell*n) / (1-Q~ (5*ell*n) ) +0 (Q~ (5*ell*prec )) )); 
cQ=subst (ser re verse ( (qc/c"5) " (1/5) *c) , c, Q"ell) ; 
bQ=l/cQ; 

gQ=subst (gc, c, cQ) ; 

XabQ= (gQ*xabs-3* (bQ"2-6*bQ+l) ) /36; 

QC=subst (serreverse (1/ ( (bQ*Q"ell) " (1/ell) /Q) ) , Q, C) ; 

XabC=subst (XabQ, Q, QC) ; 

} 
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B A Magma code that computes the zeta function of modular 
curves 



Below are a few lines written in the Magma language (see [2]). They compute the characteristic 
polynomial of the Frobenius of Xi(5£) /F p using the methods given in the proof of lemma [2T1 

ZZ : =IntegerRing ( ) ; 

1 :=11; 

N:=5*ll; 

QN:=CyclotomicField (EulerPhi (N) ) ; 
RKT> : =PolynomialRing (QN, 1) ; 
R2<T, U> : =PolynomialRing (QN, 2) ; 
G := DirichletGroup (N, QN) ; 
chars := Elements (G) ; 
gen4 : =chars [ 2 ] ; 
genlO:=chars [5] ; 
Genus (Gammal (N) ) ; 

charsmc : = [ gen 4 , gen 4 " 2 , gen 4 " 4 , gen 4 * gen 1 , gen 4 " 2 *genl , 

genl , gen4 *genl " 2 , gen4 " 2 *genl " 2 , genl " 2 , gen4*genl " 5 , 

gen4 " 2 *genl " 5 , genl " 5 ] ; 

p:=101; 

PT:= R2 ! 1; 

W:=l; 

g:=l; 

for eps in charsmc do 

M := ModularForms ( [eps] , 2) ; 

P : = R2 ! Evaluate (HeckePolynomial (CuspidalSubspace (M) , p) , T) ; 
g:=Degree (P, T) ; 

W := Evaluate (P, [ T+Evaluate (eps, p) *p/T, l])*T"g; 
PT:=PT*W; 

end for; 

PT := R2 ! PT; 

k:=2; 

PTk:= Resultant (PT, T"k-U,T); 
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